Last updated: 15.03.22

What should my organisation's IT policy include?

There are few issues facing modern businesses with as much hot-button significance as cyber security. As digital technologies become more and more ingrained into all aspects of corporate life, the pressure on companies to safeguard their sensitive data with a robust IT policy only grows more pronounced.

The importance of getting it right on cyber security was underlined by a UK government report from 2017, which indicated that one in ten of Britain's biggest companies operate without a response plan for a cyber incident, while 68 per cent of FTSE 350 boards have not received any training on how to deal with such an occurrence. This isn't a great look for organisations of any size - and, more to the point, it puts them at risk of falling prey to cyber criminals, and suffering significant financial and reputational damage.

With new laws such as the EU's General Data Protection Regulation (GDPR) now coming into force, it's more vital than ever before for business leaders to pay proper attention to devising a comprehensive IT policy, as this is the only way to ensure that everyone within the organisation knows their responsibilities when it comes to data protection and security.

How to develop a corporate IT policy

Drawing up a comprehensive IT policy for your company means putting a proper structure in place, leaving nobody in any doubt as to what aspects each section of the document covers, and which members of the organisation will be responsible for executing and enforcing it.

This means designating overall accountability for IT and cyber security issues to a specific department or individual - a key consideration, given that the new GDPR rules will stipulate that all companies over a certain size will have to employ dedicated data protection officers.

The document itself, meanwhile, should be clear about the scope of what each policy includes and how it should be deployed, with specific, action-oriented descriptions and step-by-step procedures placed alongside at-a-glance overviews for quick scanning. You should also remember to ensure your IT policy is updated regularly in line with evolving regulatory standards, and that these revisions are easily traceable.

Suggested principles

Naturally, the full scope and remit of your organisation's IT policies are likely to depend on the type of business you run, and the nature of the data you're responsible for processing. However, there are a few policy principles that are likely to be key components of any well-structured IT plan:

  • Acceptable use - detailing the circumstances under which corporate IT resources can be permissibly used
  • Confidential data - defining which information the company deems to be sensitive, and explaining how it should be handled
  • Network access - explaining to staff and guests what procedures exist around device passwords, firewalls, networked hardware and wireless network usage, as well as covering what needs to be done to ensure security when connecting mobile devices
  • Emails - outlining usage guidelines for the company email system to reduce the risk of any email-related security incidents
  • Passwords - making sure that all members of staff are adhering to consistent standards when it comes to selecting robust, confidential passwords that cannot be easily guessed
  • Physical security - defining a policy for how physical devices are handled and transported, guarding against common risks
  • Incident response - providing a step-by-step guide for everyone within the organisation to follow in the event that a breach does occur, with a focus on alerting the relevant parties, minimising the impact on network and data integrity, and recovering as quickly as possible

The need for rigorous training

Putting together a robust IT policy represents a big step towards a more secure and forward-thinking future for your organisation, but you need to remember that these policies won't enact themselves - that duty falls on the company's staff, all of whom need to be well-drilled on their new responsibilities if they're going to be able to live up to them.

As such, any new IT policy should be accompanied by rigorous training initiatives to make sure everyone within the organisation - from the highest-ranking members, to the frontline staff - know and understand these principles from back to front. After all, it only takes a single example of negligence to create a potentially critical weakness in your company's cyber defences.

By committing the necessary resources to learning and development, you can avoid this eventuality, and ensure that your organisation is seen as a secure and trusted steward of confidential data for years to come.

Related resources