Five policies for every IT consultancy employee handbook

Erik Eckel explains why every IT consultancy employee handbook should include these policies: Internet and email usage, confidentiality, data storage and protection, documentation, and social media.

IT consultancies have the same responsibilities as other organizations. Staff must be properly educated as to acceptable behavior using information systems and equipment, and not just the consultancy's infrastructure but clients' infrastructure, too. Any IT consultancy employee handbook should include, at a minimum, these five policies.

1. Internet and email usage policy

I recently read that Cameron Diaz's name is most associated with searches resulting in malware infections. Unless your consultancy works in the entertainment industry, I can't think of a legitimate business reason to be searching her name using company-provided Internet services.

By limiting Internet and email use to strictly business purposes, it lowers telecommunications costs by maximizing required bandwidth, prevents numerous unnecessary malware infections, reduces the likelihood of phishing scams, and protects company and client systems from threats and vulnerability.

Even if you implement a tight Internet and email usage policy, it doesn't guarantee that employees will comply, but at least it's a start.

Related TechRepublic resources

2. Confidentiality policy

An IT consultancy's processes, systems, and client base, as well as its clients' data, license keys, passwords, network architecture, and security practices, are all highly sensitive information. Like the Brink's security motto, there's a sacred trust involved.

IT consultancies have an obligation to protect themselves and their client data. Implementing a confidentiality policy helps ensure staff understand sensitive and proprietary information is to be protected, closely guarded, and kept confidential, even when a staff member leaves for another consulting organization.

3. Data storage and protection policy

The stories about data security breaches are numerous, even infamous. As the adage goes, information wants to be free. So whenever an IT consultancy's engineers copy client data to USB keys, thumbdrives, external hard disks, or other storage media, the consultancy must guard those repositories very carefully.

A data protection policy must outline the steps all employees must follow whenever transferring or copying client data. In some cases, due to the sensitivity of a client's data, it might be necessary to destroy the drive used to transfer the information. The policy should certainly prohibit engineers from storing any data on devices or disks removed from the client's office. Such policies should also prohibit using thumbdrives loaded with data from one client from being used at a second client location without, at a minimum, a complete reformatting.

Related TechRepublic downloads

4. Documentation policy

IT consultants earn their living configuring, administering, and repairing information technology systems. This means consultants are frequently deploying servers, configuring Active Directory environments, registering domain names, setting up email accounts, establishing off-site backups, deploying routers, and much more.

All of these tasks require documentation: IP addresses, account registrations, logins, usernames, passwords, shared secrets. IT consultancies need to ensure all employees understand that when they deploy a new device or system, they must document all aspects of that technology. Without documentation, the consultancy will find it difficult to update, support, troubleshoot, and administer the very technologies it deployed. All staff should understand what information must be documented, the process and tools used to record the documentation, the location in which all such documentation is kept, and the procedures used to secure that documentation. A documentation policy is the solution.

Related TechRepublic resources

5. Social media policy

An increasing number of technology professionals are taking to blogs, Facebook, Twitter, and other sites to share everything from personal information to tales of how they're spending their day. If it involves your IT consulting work, many clients will prefer this information goes unpublished -- clients may not even want it broadcast if they are outsourcing technology services. Consultants don't want to lose business because they inadvertently revealed the client's dirty laundry via a simple, well-intended Twitter post.

IT consultancies must ensure staff understand which kinds and types of information are okay to share (e.g., grabbing lunch at The Wagon Wheel) and the kinds and types of information that are not okay to share (e.g., I'm removing another malware infection from the county police department server). A policy is one way to ensure staff receive written guidelines as to what information is acceptable and what information must be kept off social media sites.

Related TechRepublic resources

By Erik Eckel

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...