Erik Eckel explains why every IT consultancy employee handbook should include these policies: Internet and email usage, confidentiality, data storage and protection, documentation, and social media.
IT consultancies have the same responsibilities as other organizations. Staff must be properly educated as to acceptable behavior using information systems and equipment, and not just the consultancy's infrastructure but clients' infrastructure, too. Any IT consultancy employee handbook should include, at a minimum, these five policies.
1. Internet and email usage policy
I recently read that Cameron Diaz's name is most associated with searches resulting in malware infections. Unless your consultancy works in the entertainment industry, I can't think of a legitimate business reason to be searching her name using company-provided Internet services.
By limiting Internet and email use to strictly business purposes, it lowers telecommunications costs by maximizing required bandwidth, prevents numerous unnecessary malware infections, reduces the likelihood of phishing scams, and protects company and client systems from threats and vulnerability.
Even if you implement a tight Internet and email usage policy, it doesn't guarantee that employees will comply, but at least it's a start.Related TechRepublic resources
- Download: TechRepublic Pro's Internet Usage Policy (premium content)
- Download: TechRepublic's Internet and E-mail Usage Lunch and Learn Presentation (premium content),
- Craft your own Internet usage policy with this sample
2. Confidentiality policy
An IT consultancy's processes, systems, and client base, as well as its clients' data, license keys, passwords, network architecture, and security practices, are all highly sensitive information. Like the Brink's security motto, there's a sacred trust involved.
IT consultancies have an obligation to protect themselves and their client data. Implementing a confidentiality policy helps ensure staff understand sensitive and proprietary information is to be protected, closely guarded, and kept confidential, even when a staff member leaves for another consulting organization.
3. Data storage and protection policy
The stories about data security breaches are numerous, even infamous. As the adage goes, information wants to be free. So whenever an IT consultancy's engineers copy client data to USB keys, thumbdrives, external hard disks, or other storage media, the consultancy must guard those repositories very carefully.
A data protection policy must outline the steps all employees must follow whenever transferring or copying client data. In some cases, due to the sensitivity of a client's data, it might be necessary to destroy the drive used to transfer the information. The policy should certainly prohibit engineers from storing any data on devices or disks removed from the client's office. Such policies should also prohibit using thumbdrives loaded with data from one client from being used at a second client location without, at a minimum, a complete reformatting.Related TechRepublic downloads
- File Storage Policy
- TechRepublic's Data Protection Policy (premium content)
- TechRepublic's Storage Security Policy (premium content)
- TechRepublic's Data Retention Policy (premium content)
- TechRepublic's Portable Storage Policy (premium content)
- Chapter download: Data Protection and Information Lifecycle Management
4. Documentation policy
IT consultants earn their living configuring, administering, and repairing information technology systems. This means consultants are frequently deploying servers, configuring Active Directory environments, registering domain names, setting up email accounts, establishing off-site backups, deploying routers, and much more.
All of these tasks require documentation: IP addresses, account registrations, logins, usernames, passwords, shared secrets. IT consultancies need to ensure all employees understand that when they deploy a new device or system, they must document all aspects of that technology. Without documentation, the consultancy will find it difficult to update, support, troubleshoot, and administer the very technologies it deployed. All staff should understand what information must be documented, the process and tools used to record the documentation, the location in which all such documentation is kept, and the procedures used to secure that documentation. A documentation policy is the solution.Related TechRepublic resources
- 10 things you can do to create better documentation
- Download: 6 steps to better software documentation
- Download: Documentation checklist: What the new IT guy needs to find out
- Download: Network documentation outline
- Download: Network Documentation Outline (premium content)
5. Social media policy
An increasing number of technology professionals are taking to blogs, Facebook, Twitter, and other sites to share everything from personal information to tales of how they're spending their day. If it involves your IT consulting work, many clients will prefer this information goes unpublished -- clients may not even want it broadcast if they are outsourcing technology services. Consultants don't want to lose business because they inadvertently revealed the client's dirty laundry via a simple, well-intended Twitter post.
IT consultancies must ensure staff understand which kinds and types of information are okay to share (e.g., grabbing lunch at The Wagon Wheel) and the kinds and types of information that are not okay to share (e.g., I'm removing another malware infection from the county police department server). A policy is one way to ensure staff receive written guidelines as to what information is acceptable and what information must be kept off social media sites.Related TechRepublic resources