IT policies and procedures are not “set and forget” documents. Discover why they need to be reviewed regularly and learn some tips on how to do so.
Businesses sometimes create IT policies and procedures and then forget about them. Reviewing IT policies and procedures is important for several reasons, including:
- Keeping IT systems running optimally. Companies create IT policies and procedures to help keep their IT systems running efficiently and securely. If these documents are not updated to reflect changes made to the systems, problems might arise. For instance, if a company starts collecting additional personal data from customers, it should update its privacy, data governance, and other applicable policies and procedures. Otherwise, the data might not be properly collected, cleaned, secured, used, and stored. This could lead to security vulnerabilities (e.g., improperly stored data) or data integrity issues (e.g., the new data cannot be combined with existing data because of formatting inconsistencies).
- Complying with regulations. Regularly reviewing and updating certain types of policies is necessary for compliance to some regulations. For example, businesses that process or store the personal data of European Union (EU) citizens must comply with the General Data Protection Regulation (GDPR). One of the main requirements is that companies have privacy policies that tell EU citizens what data it is being collecting about them and how their data is being used, secured, shared, and stored. So, if a business starts collecting additional personal data from EU citizens but fails to update its privacy policy, it could be fined for noncompliance with GDPR. For those in the Medical Services sector, HIPAA has very strict regulations about how data is managed, viewed, stored and shared. A violation of these regulations can mean millions of dollars in fines.
- Avoiding lawsuits. Businesses can be held liable for outdated, vague, and inconsistently enforced policies. For instance, a US jury awarded $21 million in damages to a woman who was struck by a Coca-Cola delivery driver who had been talking on her cell phone at the time of the accident. The plaintiff’s attorneys successfully argued that the company’s mobile phone policy for its drivers was vague and that Coca-Cola was aware of the dangers of distracted driving but withheld this information from its drivers. As this example illustrates, it is important for companies to periodically review their IT policies to make sure they are clear, current with the times, and consistently enforced throughout the workplace.
- Disaster Recovery and Business Continuity. No one likes to think it will ever happen to them, the possibility exists for every single business, big or small. Fire, theft, flood, and malicious attack can leave businesses completely crippled. Ensuring that a plan for all scenarios exists is paramount to ensuring that your business can continue to operate under any circumstance. This includes Backup Planning with defined Recovery Time Objectives (RTOs. How fast can we be back up and operational) and Recovery Point Objectives (RPOs. What point in time your last backup covers. Was it last night, last week, last hour?) so that it meets the balance between how much it costs to protect the organization against how much it would lose if it was down. Regular testing of the plan must also take place to make sure that not only are the objectives are being met, but if the backups are working at all.
At least once a year, you should review your company’s existing IT policies and procedures to make sure they are up-to-date and relevant. This is also a good time to determine whether any new policies need be written. For instance, if you recently permitted employees to use their personal smartphones for work, you can use this opportunity to discuss the need for a Bring Your Own Device (BYOD) policy to govern the use of employee-owned phones in the workplace.
In addition, it is a good idea to test certain IT policies and procedures before the review process if it has not been done recently. For example, you could test the IT disaster recovery plan and procedures by holding a drill. Besides identifying problems with the plan and procedures (e.g., phone numbers that are no longer correct), the drill will allow employees to become familiar the process. This will lessen employees’ stress in the event of an actual disaster, which can lead to a faster recovery time.
If changes need to be made to an IT policy or procedure, you should:
- Assign someone to make the changes.
- Make sure the updated documents are reviewed and approved by the appropriate people (e.g., human resources staff, legal team).
- Share the updated versions of those documents with employees.
Retest the policies and procedures at least once a year.
If you have any questions about your IT policies, please feel free to reach out to us.