IT Employment

General discussion


IT Policy and Procedures

By jdobbs ·
I?ve been given the task of writing the IT policy and procedures from the ground up. I?m not sure really where to start or what items to include. I?ve have a few ideas such as passwords, internet and email usage, backup and recovery, and a few other things. Can anyone give me any tips on planning these such as experiences you?ve faced and other ideas to include? Any resources would be tremendously helpful and appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by TheChas In reply to IT Policy and Procedures

A good place to start is the Download Center here at TR.

There are a number of policy templates.

Click on the linked articles for more details.


Collapse -

by mlayton In reply to IT Policy and Procedures

Part of the question will be how large your organization is - this will help dictate your policies and what you need. Also, be sure once you have them, you run them by legal counsel and HR, as laws vary from state/country as to what is permitted. I've done this several times. Along with TechRepublic downloads, try the SANS website for references on policies, and there are a couple of references I used to use - "Information Security Policies Made Easy" by Wood and "Information Systems Policies and Procedures" by Jenkins. I haven't had to do it in several years, so I don't know if these are current, but they may be a good starting point.

Collapse -

by jdobbs In reply to IT Policy and Procedures

We're handling about 150 PC's running WinXP on two seperate networks. One network has a domain controller as the other does not. Pretty basic setup yet there are still problems and concerns which could most likely be solved if policies were in place.

Thanks for the help so far!

Collapse -

by The Admiral In reply to IT Policy and Procedures

The first thing that you would have to do irregardless of the size of your organization is to determine what processes are urgent. Say for instance the network goes down and there is a process that is followed to put it back online. The most critical of processes should be documented first, then the processes as they are happened on can be done next.

The important thing is that documentation is done, and that it is kept updated. You can start the living document anywhere, but keeping it updated is important as well.

I believe that I would start (in my honest opinion) with categorizing areas of interest, then breaking them down. Taking the large piece and nibbling at it in smaller bits is better.

Collapse -

by j.lupo In reply to IT Policy and Procedures

The answer provided about starting here at techrepublic is a good one to get you started. I would also suggest something I have found very useful. Observe the current processes for each area that is needed for your organization to run smoothly. Keep in mind that your IT area is a part of the larger picture. So any policies and procedures you set should keep you aligned with the overall strategy and needs of the company.

Also, as you observe how things are currently working, ask questions about why something is done a certain way and how others might do it differently.

The point is that before you can write anything, you need to gather as much knowledge as possible about the current state of things.

Collapse -

by adongerdive In reply to IT Policy and Procedures

I was wondering if you finished writing this policy. I was asked to write one for my company today.


Collapse -

by jeanneleez In reply to IT Policy and Procedures

I've also found that googling using key terms, such as "IT Policies and Procedures" will provide you will real-world samples in use today. If you can find one in the same industry as yours, that would be a bonus. You could probably do this by tweaking your search terms... Good luck!

Collapse -

by gadgetgirl In reply to IT Policy and Procedures

I'd suggest starting by building yourself a basic ISMS framework (Information Security Management System)and bolting IT policies on to it.

I've spent just over 13 months doing exactly the same job as you've just been given (long, hard slog, no shortcuts) Once you have the basic high level IT/IS policy in place, use others as bolt-ons, i.e. Internet access/usage policy, Email policy, System specific policies, Equipment/usage policy, Mobile Policy, Remote Access Policy, Safe/Secure disposal policy, DR/BC, Server Policy, Update Policy, AV Policy etc.

Watch your back, though - you need to get these passed by your HR and Legal sections so current statute can be included. Bear in mind the level of knowledge/common sense of the average user - don't write it in tech-speak, write in clear English!

Google BS7799 or ISO 27001 (versions of the same thing) and you'll get some good pointers.

Good luck - as I said, 13 months in, and still going!


Related Discussions

Related Forums