Collaboration

Five policies for every IT consultancy employee handbook

Erik Eckel explains why every IT consultancy employee handbook should include these policies: Internet and email usage, confidentiality, data storage and protection, documentation, and social media.

IT consultancies have the same responsibilities as other organizations. Staff must be properly educated as to acceptable behavior using information systems and equipment, and not just the consultancy's infrastructure but clients' infrastructure, too. Any IT consultancy employee handbook should include, at a minimum, these five policies.

1. Internet and email usage policy

I recently read that Cameron Diaz's name is most associated with searches resulting in malware infections. Unless your consultancy works in the entertainment industry, I can't think of a legitimate business reason to be searching her name using company-provided Internet services.

By limiting Internet and email use to strictly business purposes, it lowers telecommunications costs by maximizing required bandwidth, prevents numerous unnecessary malware infections, reduces the likelihood of phishing scams, and protects company and client systems from threats and vulnerability.

Even if you implement a tight Internet and email usage policy, it doesn't guarantee that employees will comply, but at least it's a start.

Related TechRepublic resources

2. Confidentiality policy

An IT consultancy's processes, systems, and client base, as well as its clients' data, license keys, passwords, network architecture, and security practices, are all highly sensitive information. Like the Brink's security motto, there's a sacred trust involved.

IT consultancies have an obligation to protect themselves and their client data. Implementing a confidentiality policy helps ensure staff understand sensitive and proprietary information is to be protected, closely guarded, and kept confidential, even when a staff member leaves for another consulting organization.

3. Data storage and protection policy

The stories about data security breaches are numerous, even infamous. As the adage goes, information wants to be free. So whenever an IT consultancy's engineers copy client data to USB keys, thumbdrives, external hard disks, or other storage media, the consultancy must guard those repositories very carefully.

A data protection policy must outline the steps all employees must follow whenever transferring or copying client data. In some cases, due to the sensitivity of a client's data, it might be necessary to destroy the drive used to transfer the information. The policy should certainly prohibit engineers from storing any data on devices or disks removed from the client's office. Such policies should also prohibit using thumbdrives loaded with data from one client from being used at a second client location without, at a minimum, a complete reformatting.

Related TechRepublic downloads

4. Documentation policy

IT consultants earn their living configuring, administering, and repairing information technology systems. This means consultants are frequently deploying servers, configuring Active Directory environments, registering domain names, setting up email accounts, establishing off-site backups, deploying routers, and much more.

All of these tasks require documentation: IP addresses, account registrations, logins, usernames, passwords, shared secrets. IT consultancies need to ensure all employees understand that when they deploy a new device or system, they must document all aspects of that technology. Without documentation, the consultancy will find it difficult to update, support, troubleshoot, and administer the very technologies it deployed. All staff should understand what information must be documented, the process and tools used to record the documentation, the location in which all such documentation is kept, and the procedures used to secure that documentation. A documentation policy is the solution.

Related TechRepublic resources

5. Social media policy

An increasing number of technology professionals are taking to blogs, Facebook, Twitter, and other sites to share everything from personal information to tales of how they're spending their day. If it involves your IT consulting work, many clients will prefer this information goes unpublished -- clients may not even want it broadcast if they are outsourcing technology services. Consultants don't want to lose business because they inadvertently revealed the client's dirty laundry via a simple, well-intended Twitter post.

IT consultancies must ensure staff understand which kinds and types of information are okay to share (e.g., grabbing lunch at The Wagon Wheel) and the kinds and types of information that are not okay to share (e.g., I'm removing another malware infection from the county police department server). A policy is one way to ensure staff receive written guidelines as to what information is acceptable and what information must be kept off social media sites.

Related TechRepublic resources

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

14 comments
Mon_Selis
Mon_Selis

To be the employer, I guess you wouldn't have much difficulties if the monitoring system you're using is doing snapshots on the employee's activities online to check on what they're doing, like what Time Doctor can do. The employees will likely comply if you let all employees know about the system installed so they would know what's expected of them.

TownsendA
TownsendA

What about use of mobiles(we call them cellphones). They are web enabled, take pictures and do e-mail. Their use in the office space should be closely monitored. What is that person doing on his mobile? He's been on it for too long. Younger workers are prone to calls and text (sms) messages all day. They have to be reigned in by a policy restricting use or denying use altogether.

MUnruh23
MUnruh23

While a reasonable case can be made for not letting people look check their personal e-mail, news pages, etc., today's work world is very different from that of even 20 years ago. People OFTEN take their computers home and do work in the evenings - if you are going to crack down on the blurring of line between business and personal, I'm thinking they will, too. People work more flexible hours, but those I know mostly work more hours than they did 20 years ago (when's that thing I read about in my Weekly Reader about technology simplifying our lives and making it possible to work less going to happen?). I think companies have benefitted from this trend at LEAST as much as employees have. Being 'reasonable,' while certainly a subjective concept, is a concept that is tossed aside at your own peril, as a rigid redrawing of the lines is almost CERTAINLY going to cut both ways.

codybwheeler
codybwheeler

You're very right. It's a little bit creepy sometimes how forensic people can get when trying to spy on their competitors' activity. Here's a post on our blog about social media policy. Social Media Policy

tbmay
tbmay

...with all the 3g/4g/mifi on the scene now and in the future. The determined can just bypass your network on the phone. Of course, that could help reduce the desire to do bad things too. One thing I would have added to your list is a non-compete clause in any employment contract. I darn sure ain't willing to pay a salary to a guy who's competing with me on the side in his moonlighting adventures. He needs to bite the bullet and start his own business if he's going to do that.

guycookson
guycookson

"By limiting Internet and email use to strictly business purposes, it lowers telecommunications costs by maximizing required bandwidth, prevents numerous unnecessary malware infections, reduces the likelihood of phishing scams, and protects company and client systems from threats and vulnerability." Maybe, but it will also lead to a frustrated team cut off from the outside world. People are not machines. No one can work throughout the day, even if they think they can. There's no reason why the IT team shouldn't be able to browse the open web. It's not difficult to avoid risky sites.

PMPsicle
PMPsicle

And don't forget those pencils ... those erasers at the end will encourage them to make mistakes. ]:) ;)

Erik Eckel
Erik Eckel

Really? It's the workplace. Most enterprise environments lock employees down anyway as a matter of HR policy. Organizations that permit employees free Internet use are only opening themselves to liability, malware infection and lost productivity. That's not to say staff view business headlines throughout the day, but enabling Internet access beyond that required to complete job tasks only opens organizations to vulnerabilities. Some of the IT staff at the companies we've supported have been responsible for the introduction of threats in the first place. We've even seen some IT staff hosting game servers for public use on the Web. That's not a good use of a company's server resources or telecommunications circuits.

rgoeken1
rgoeken1

I see you subscribe to the policy that IT should rule the world (and justify their existence too). We see many statements about lost productivity, threats, etc. I would welcome someone back up these comments vs. a well thought usage plan. What is wrong with stating a policy that the services should be used for business purposes, and include that statement as a display in the log in proceedure? Don't use one of the "filters" that effectively blocks the sites that you need because of some obscure rule. When researching a valid product, the forth or fifth block will have you going up the wall (from experience). As an example of a bad rule, "Block all access to YouTube", not understanding that many companies use YouTube to display their product videos. I could list many more examples of blocking valid sites. What should be done is to have a monitoring system that logs all sites visited and produces reports that indicates employee usage, and sites visited by number and total time. Non-justified usage should be discussed with the employee. Much easier to administer and no costly filter fees.

Sterling chip Camden
Sterling chip Camden

... then you need to get rid of them. Two simple rules: 1. Get the job done right 2. Don't do anything stupid If you need to say more, they don't belong. But then, maybe that's why I no longer hire people.

Sterling chip Camden
Sterling chip Camden

I get lots of people looking for work, too. "Sorry, I'm freelance." Free -- best word in the English language. Lance -- stick it to "the man". I'll neither work for him, nor be him, any more.

santeewelding
santeewelding

Everyday I am beset with those who look for the "job". I try to be as respectful and careful as I can. I point and ask those who show up in person, "Do you see that long line of people lined up waving money in their hands to get my attention?" "No," shaking their head, they say. "I don't either," I say. I [i]do[/i] thank them -- so many with desperation in their demeanor -- for thinking of me and my company. And, that's the end of it. Except for not telling them that the moment I hire anyone, I am no longer in charge of the business. They, the government, and their attorneys are in charge. No way. Never again.

Editor's Picks