When it comes to building and implementing an IT policy, no quick-fix or one-size-fits-all solution will
adequately serve your needs. Every business is different, and the approach taken to meet objectives and/or
ensure compliance will vary from one environment to another, even in the same industries. But you can take
advantage of certain best practices to increase your odds of crafting and implementing a
policy that employees will support and that will help protect your organization.

Executive support

For starters, no policy will succeed without the basic buy-in from senior leadership. Senior executives,
directors, and managers should be asked to provide input and some form of approval to the policy.
Obtain a clear statement of support before you start creating the policy and continue to keep senior
management educated and involved as it is written. When the policy is ready for implementation, request
that management formally present it to your organization, stressing its importance.

Consensus building

As you begin formulating a policy, you should involve all interested parties in the discussion of its
establishment by creating a committee. Your committee should consist of the owner of the policy, subject
matter experts, frequent users of the policy, and representatives from groups affected by the policy.
You may also want to consult specific groups within your particular organization, such as Human
Resources, Financial, and Legal. These groups can make recommendations based on the impact of the
policy on the organization as well as on its viability and legitimacy. This will ensure the policy you develop is
fully understood by everyone concerned and that it has their backing once it’s implemented. That broad base
of support is one of the best assurances for policy success.

Policy contents

Although policies vary from organization to organization, a typical policy should include a statement of
purpose, description of the users affected, history of revisions (if applicable), definitions of any special terms,
and specific policy instructions from management.

Make sure everyone has a clear understanding of the purpose of the policy. Are you creating this policy
because you have to be in compliance with some ruling? Are you trying to cut down on costs or create
additional savings? Are you ensuring liability will not be placed on the company?

Creating a uniform policy format to ensure that information will be presented to the reader in a consistent
manner is paramount for policy success. A uniform format will make the policy easier to read, understand,
implement, and enforce. Keep the scope of your policies manageable as well. Consider making separate,
smaller polices that address specific needs.

The language of your policies must convey both certainty and unquestionable management support.
Remember, you’re setting policy, not describing standards. A standard would, for example, define the
number of secret key bits that are required in an encryption algorithm. A policy, on the other hand, would
dictate the need to use an approved encryption process when sensitive information is sent over the public
Internet system.

Standards will need to be changed considerably more often than policies because the manual procedures,
organizational structures, business processes, and information system technologies change much more
rapidly than policies. You can reference standards within a policy and modify that standard as the
technology or compliance requirements change.

After you roll out a policy, you may see many examples of inappropriate use or violations, but it’s difficult to
anticipate them. So it’s important to have catch-all clauses within your policies, such as:

  • “Viewing or downloading offensive, obscene, or inappropriate material from any source is forbidden.”
  • “The storing and transfer of illegal images, data, material, and/or text using this equipment is forbidden.”

Research and preparation

In drafting your policy, you will want to research related issues both inside and outside the company. Some
common areas to research include:

  • Company policy library (if you have one)
  • Forms and documents required to develop or complete the policy: request forms, legal documentation,
    etc.
  • State and or federal laws that are relevant to your policy
  • Similar policies at other businesses

One of the biggest mistakes many companies often make when they begin designing policies is to create
guidelines and restrictions without any understanding of how the company’s business actually works.
Although there’s always going to be a factor of inconvenience with any security policy, the goal is to create
a more secure environment without making things overly difficult or hard to understand for the people having
to use the resources the policy is trying to protect.

Policies made outside the company’s business model will begin to become circumvented over a period of
time and the overall environmental state can become worse than before the security measures were
implemented. So make sure part of your research involves developing a solid understanding of business
processes so that your policy can work with them, rather than against them.

Policy reviews

Even after you’ve finished drafting or updating a policy, the job is not complete. The policy should be
reviewed by legal counsel to ensure that it complies with state and federal laws before it’s finalized and
distributed to employees. Further, you should review the policies on a regular basis to make sure they
continue to comply with applicable law and the needs of your organization. New laws, regulations, and court
cases can affect both the language of your policies and how you implement them.

Most experts suggest a thorough review of your policies at least once a year and the use of a dedicated
notification system/service to keep employees informed of changes. And when revised policies are
introduced, you should formally distribute and thoroughly explain them to all employees.

Policy pointers

  • Consider holding (depending on the size of your company) a series of meetings that involves all
    interested parties.
  • Do not fill policies with “techie” terms. Polices must be written in layman’s terms or the concepts may
    be lost on the end users.
  • Set out what behavior is reasonable and unreasonable and determine procedures for dealing with
    specific abuses.
  • Try to keep polices to the point. Long written polices are difficult to read and comprehend, and users
    may be confused or simply give up on trying to understand them.
  • Agree upon a framework for policy review. Usage and technology may change, so you need to be
    flexible and adapt the policy when it is required.
  • Decide, define and mandate “what” is to be protected.

Done right…

Well-crafted policies show that an organization and its management are committed to security and expect
employees to take it seriously. Such policies provide an overall security framework for the organization,
ensuring that security efforts are consistent and integrated rather than ad hoc or fragmented.
A good, regularly reviewed policy can be both an effective employee relations tool and a helpful defense
against lawsuits. In contrast, policies that are poorly drafted or misapplied can decrease efficiencies and
create roadblocks for normal business activities. Invest the necessary amount of time and effort to make
sure your policies are solidly built and properly implemented.