IT governance and Information Technology policies is not generally a hot topic for SMEs. However, planning business growth and development is impossible without a solid technology platform. Therefore, putting in the proper IT policies and practices to ensure that your infrastructure (be it done internally or outsourced) aligns with your business mission is essential.
In large enterprises and organisations, matters of IT policy are within the competence of the Chief Information Officer (CIO). Such organisations will have quite large and verbose IT policies, often revised by a lawyer for legal purposes. But an IT policy does not need to be a large volume of legalese to be meaningful and valuable for corporate governance.
Defining Scope and Responsibility
The scope of any IT policy should clearly be defined – what it enforces, who it applies to, who is the Policy Owner, etc. An important aspect to consider are internal and external governing documents (provincial or federal legislation) that directly applies to IT practices in your industry. For example, institutions dealing with private health information fall under the Ontario Personal Health Information Protection Act (PHIPA).
There may also be certifications that influence IT policies and standards that must be considered. For example, ISO certification mandates certain IT practices to uphold certification.
Each policy should clearly indicate who is responsible for implementing/upholding it (executive, user, external consultant, etc.)
What are the essential IT policies relevant to SMEs?
IT Infrastructure Documentation
IT Documentation is critical for business continuity and knowledge retention about IT systems. The IT infrastructure documentation policy should establish a minimal list of documents to be created and maintained. Some examples of IT documents that are critical for any organisation:
- IP address distribution table spreadsheet;
- System and Network diagram;
- Firewall access control list, or similar list of access rules;
- Active Directory user audit spreadsheet, including security group membership;
Acceptable Use of Information Technology
The Acceptable Use policy determines what users can or cannot do with IT resources. It touches on things like who may use IT resources (authorisation), users’ responsibility, and limitation on personal use.
Areas that are covered by Acceptable use would be:
- Internet, including social media, and could platforms
Arguably one of the highest concerns for some enterprises, as everyone tries to protect data leaks and security breaches due to high liability costs (as we discussed in our article on Cyber Liability). The policy should define and list the information (data) covered by it (Confidential company-owned data, private data, databases, hard copies, etc.) and cover areas like:
- Domain Access and Accounts;
- User and administrator passwords;
- Remote Domain and Computer Access, including access by Third Parties;
- Network security: firewall, Remote login and Administration, network segregation, wireless networks, etc. (in larger policies, there may be a separate policy on Network Security in addition to Information Security);
- Antivirus protection;
- External Storage Devices;
- Email and Content filtering;
- Portable computing and Mobile Devices;
IT Services and Standards
This policy should define what services that IT department provides and what standards should be followed. For example, shared network storage and access to it, printing, data retention and backup standards, etc.
IT Systems Management and Maintenance
This policy should deal with things like hardware replacement and rotation (how frequently), managing firmware and software updates, monitoring, day-to-day operations, etc.
This should talk about how IT incidents are handled at your company, i.e. who is responsible for reporting incidents and to whom, what are the resolution times (SLAs), what are standard procedures in handling incidents, etc.
IT incidents should be differentiated by severity. IT Disaster Events should be separately defined and a separate policy for Disaster Recovery should be written.
The Information System is a an aggregation of all IT resources (hardware and software) that support key business processes. With respect to the mission of any company with a (moderately) complex value chain, it is important to understand how the information system serves the business process, and how well the two should align. Information system policies should define the standards for developing and auditing key business processes and information systems.
Commit100 has experience in developing and consulting on IT policy for SMEs, as well as performing IT audits to determine de-facto (existing but undocumented) IT policies and practices.