5 Tech Policies You Should Be Reviewing Right Now
Admittedly, we all have a little extra time on our hands this year. Hey, so now's the time to take care of those important management details that help govern the operation of your business!
Technology-related policies reflect management's intent to control their information system - the absence of policies usually reflects poorly in court of law and public opinion: if management never communicated a position on a technology governance to employees, customers, or vendors, then "Due Care" obligations could be considered ignored. Thus, it could be seen that management was negligent in their handling of an issue which extends liability, making it difficult to prove that "reasonable" precautions were taken in preserving customer data, securing network resources, or terminating an employee due to cause.
1. Write or revisit your Technology Plan (TP). The TP is a complementary document to your overall business plan and would traditionally be prepared by the executive responsible for technology strategy. It is usually 24 months in scope and identifies how tech spend complements your business strategy. It is an evolving document that lays down principles in how technology will be used and managed within your firm, and how tech relates to your success. This document should help guide your purchasing, management, and deployment of tech indefinitely, and should evolve over time as technology issues continue to shape the macro economy.
2. Write or revisit your Disaster Recovery and Business Continuity Plan (DR/BCP). Think about how critical software and hardware is to the execution of your business strategy. Think about how important the years of electronic data is to your ability to do your job. Now think about this stuff being wiped out in a flood, burned in a fire, or just the victim of bad luck - a hard drive failure. After Hurricane Katrina, more than 20,000 small businesses folded on the Gulf Coast because they didn't have a way to recover their electronic data to resume business operations. Now is precisely the time to revisit how data is stored, how it is backed up, how it is moved off-site, and services would be restored in the event of an emergency.
3. Write or revisit your Acceptable Use Policy (AUP). The AUP is the most critical policy in your Administrative arsenal. It outlines to employees and others who use your electronic resources what rights and obligations they have in using your resources. It is usually the principal document that is signed at the employee hire that outlines what is good and bad behavior in using your resources, and is the governing document allowing employers to terminate for cause. If an AUP doesn't exist, it's difficult to suggest that expectations of behavior was communicated to employees and a wrongful termination defense could be mounted. An AUP should be an evolving document as threats in IT change every 24 months. Now's the time to really take a look at this again.
4. Write or revisit your privacy policy and legal liability towards protecting personal private information (PPI). Your firm may be subject to federal or state regulations governing the security and privacy of electronic information - of patients, consumers, job applicants, or financial records. Fines are usually bestowed on a "per incident" basis, and if you have thousands of records outside of compliance, the liability is enormous. Further, it's best practice these days to communicate to stakeholders up front how you manage PPI and secure it. If you don't have a privacy policy, "Due Care" concerns could be raised that management was negligent in managing the private information of a party, which could result in civil tort for damages. Over 31 states have individual laws governing PPI; that in addition to the federal laws governing protected classes of information demands a thorough investigation in your compliance obligation.
5. Write or revisit your procedures governing employee terminations and audits. Finally, keep in mind the number one security risk for you during these economic times. It's not hackers, viruses, or malware. It's employees, and specifically, terminated employees who've still access to your confidential intellectual property. Now's the time - if any - to revisit those procedures and verify that employee access restrictions are performed, documented, and reviewed.
Policies, procedures, work instructions, and plans are Administrative Controls that reflect management's _intent_. If management's intent isn't communicated, and technology is governed by assumption and intuition, then management isn't "managing" technology - they are hoping for the best without taking on responsibility to effectively govern it. Now is your chance to reflect upon how your intent is reflected in the workplace and how well you've addressed technology "Best Practices" and regulatory compliance issues as a management team.
R