Your IT Resources are valuable tools used to operate and propel your business. If you want these tools to be respected, you need to ensure your employees understand “Acceptable Use” and sign off on this understanding. Unacceptable use can lead to wasted resources, reduced productivity and, if no Use and Abuse Policy is in place, lawsuits directed towards you and your business.
I just returned from a road trip where I found that a large number of businesses I visited had no IT Use and Abuse Policy in place. Like bad passwords, this is so important, so dangerous, and so easy to correct, I’m pushing IT Use & Abuse Policies ahead of this month’s scheduled topic.
In this month’s newsletter I discuss why an IT Use and Abuse Policy is so important, what the policy needs to include, and how to insure your staff acknowledges they have read and understand the policy.
Why you need an IT Use and Abuse Policy
The first purpose of the IT Use and Abuse Policy is to educate your staff as to what constitutes Acceptable Use of company IT resources, as well as what is considered Unacceptable. You can have no compliance expectations if you don’t educate.
The second purpose of the IT Use and Abuse Policy, once you have established companywide understanding, is to make the best, most efficient use of your IT Resources. If your staff complies with the policy you’ll be able to stretch your resources (no server storage wasted on iTunes and personal photos), reduce your expenses (no need to increase your Internet bandwidth if they stop downloading movies and stop streaming radio), and increase productivity (eliminate non-company emails, facebook, and twitter).
The third purpose of the IT Use and Abuse Policy is to provide the basis to be able to discipline staff who refuse to comply, and to protect your business from lawsuits arising from illegal or immoral activity originating from within your business IT environment. You effectively eliminate the “I didn’t know… I wasn’t allowed to send out 40,000 pieces of sexist emails” defense, and you protect your business from the liability associated with 40,000 unacceptable emails leaving your mail server.
What your IT Use and Abuse Policy should include
The policy should begin with an introduction describing the purpose of the policy, and the employees’ responsibility to comply with the policy.
The policy body should specifically state what is acceptable use of your company’s IT Resources, as well as what is unacceptable, in easily understandable and unambiguous language. It should also discuss the user’s expectation of privacy (there is none) and explicitly state your rights as the owner of the resources. It should close with a clear message that non-compliance is not tolerated and will result in disciplinary action.
Topics that should be discussed in terms of both acceptable and unacceptable use include:
- Company email
- Personal email
- Facebook and Twitter
- Instant Messaging
- Internet browsing
- Internet downloads
- Internet streaming (audio and video)
- Using a Secure Password
- Divulging network credentials
- Installing unauthorized applications on computers
- Installing remote access applications on computers
- Storing personal data (pictures, music, etc) on PCs or Servers
- Downloading software
- Connecting any personal device (Laptop, PC, Tablet, Phone) to the Private Business Network
- Connecting any device (Laptop, PC, Tablet, Phone) to the Private Wireless Network
- Unauthorized transfer or copying company proprietary or confidential information
- Connecting any personal storage device (USB Drive, Thumb Drive) to a company computer
- Copyright infringement
- Manner and content of all communications originating on company devices
- Running, authorizing, or assisting with security scans on the infrastructure
- Any form of harassment
- Any illegal activity
The policy should also include the very clear statement that all IT Resources are the property of the company, and everything stored, processed, transferred, received, or transmitted by these resources are the property of the company. The company reserves the rights to access, inspect, and monitor all information stored or processed by their resources. As such, an employee should have no expectation to privacy regarding this information.
Additionally, the policy should clearly state that all company data and information is the exclusive property of the company and is considered very confidential. Copying it, removing it from the premises, or divulging it in any way to non-company persons is strictly prohibited. This should be reinforced through the use of Non-Disclosure Agreements (NDAs), signed by every employee.
Finally, the policy should highlight that all IDs, Passwords, electronic Keys, and codes are business confidential and must be kept private. Divulging any of these to unauthorized persons is strictly prohibited and will result in immediate termination.
All employees must sign off on the IT Use and Abuse Policy
I strongly recommend that you have all employees sign a statement that they have read and understand the company’s published IT Use and Abuse Policy every year, and that this statement be filed in each employee’s Personnel folder. Annual signing precludes the “I didn’t know you added THAT!” defense.
We advise our clients to include the IT Use and Abuse Policy as part of their Employee Handbook, and have every employee sign off on reading the handbook as part of the annual review process.
This is also a good time to have the employee sign and review their annual NDA, which also goes in their Personnel folder.
While not directly associated with company IT Resources, this is a good platform to discuss use of personal smart phones while on the clock. Many of our clients now prohibit personal tweets, email, texting, phone calls, and facebook interaction during working hours, so we discuss this in an addendum to the IT Use and Abuse Policy.
We’ll often add a Frequently Asked Questions (FAQ) section to the end of the policy to clarify the topics, and to help simplify the topics. One really nice thing about the FAQ – it is a simple matter to add new questions and answers as your staff presents them.
If you have any questions or comments concerning this article, or would like assistance developing an IT Use and Abuse Policy for your company, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.
About Tom K
Tom K has spent the last 28 years working with company leaders to develop their technology strategies and create IT environments that will best serve their business goals, optimize the use of their computing resources, maximize their systems up-time, and get the most out of their IT investment.
Tom K’s experience was developed as a Director and lead consultant with three respected technology firms, one servicing Vacation Rental Management companies across the country, and two servicing NYC Clients in the banking, finance, and manufacturing industries. Tom also served as CTO for an e-Commerce Web Consultation firm and as IT Director for an international consumer testing company. He holds senior technical certifications from Cisco, Microsoft, Citrix, HP, and Intel.
Tom K brought his expertise from Wall St. to the Vacation Rental and Real Estate industry in 2003. Through his technical skills and business acumen, Tom has helped numerous companies effectively utilize technology to realize their business goals, increase productivity, and improve their bottom line.
Tom K’s extensive experience as both consultant and IT Director provides him with an in-depth understanding of the needs and expectations of his Clients, from both the business and the technical prospective. This knowledge allows Tom to consistently provide the solutions and exceptional levels of service required to exceed those expectations.