Does anyone have a policy statement for IT staff that tells IT staff about how it can and cannot make access data it is entrusted with? IT staff many times has access to everything, but shouldnt actually access most data unless there is a legitimate business reason. We are considering having a policy with sign off.
