How NOT to Write IT Policies

Part of Aeritae’s mission is to use our hard-won wisdom to help clients create IT environments that go beyond “meeting business need.” We want the results of our work to be systems that allow clients to innovate and deliver exceptional experiences for their employees, partners, clients or customers.

Aeritae Security Capability Leader, Greg Handrick, specializes in Information Security and IT Operations. Below he shares some useful insights into writing IT policies that can help shape your organization for the better. 

Sadly, when it comes to the relationship with their employees, many companies start off by assuming they’ve hired criminals who will lose their data-filled laptop within their first week of employment. I say this because this view comes through so strongly in the first IT Policy many employees see: the infamous “Acceptable Use” policy.

In helping a recent client, these points immediately stood out to me from their Acceptable Use policy:

  • It is 6 pages long (1737 words).
  • The word “prohibited” is used 23 times.
  • The word “allowed” is never used.
  • The phrase “Employees are responsible for exercising good judgment regarding the reasonableness of personal use” appears twice – once on Page 2 and once on Page 5. Notably, this does not appear in the “Personal Use” section, which discusses 9 specific things that are prohibited.
  • This policy was written by the corporate attorney and has been in place, unreviewed and unrevised, since its approval in 2009.
  • It mentions 4 specific social networking platforms; two of these no longer exist (e.g., MySpace).
  • The policy is written to protect the company from liability, and to provide a hammer with which to smash an employee who steps out of line.
  • There is no evidence that any employee has read, understood, or committed to abiding by the policy.

Contrast this with another client’s policy:

  • It is one and a half pages long (555 words).
  • The entirety of the policy is summed up in this paragraph: “Access to the <Company’s> computers, network, e-mail and Internet systems is provided to Users for the benefit of the Company, allowing Users to perform their job responsibilities. Each User has a responsibility to maintain and enhance the Company’s professional reputation and public image, using these systems in a productive and professional manner. Leadership expects all Users to perform as professionals who are capable of fulfilling this responsibility without the need for a detailed list of “dos and don’ts”.
  • The remainder of this short document consists of guidelines that clarify the User’s responsibility and expectations of behavior. To keep the lawyers happy, we told the employees that they should have no expectation of privacy on company equipment.
  • The policy is written by people who know the target audience, and who want to give employees a framework that flexes to accommodate new situations as they occur.
  • Reviewed and renewed annually, each employee re-reads and attests that they will abide by the policy (keeping it relatively fresh in their minds).

Let’s face the observed facts. Most employees:

  1. Are not lawyers
  2. When faced with a 6-page document, will skip to the end and sign it just to be done.
  3. Even if they read the policy, will not remember details 3 months later. Nor 3 years later.

With that said, I’ll try to bring this post back to the realm of useful guidance. How many times have you seen the HR adage “our greatest asset is our people”? Well-written IT policy is an effective tool that guides employees away from behavior that weakens IT security or regulatory compliance. 

Good policy can demonstrate treating people as a valued asset– if you do these things:

  • Show the right path, rather than bludgeoning the employee with a list of prohibitions.
  • Trust that your employees are adults who want to do the right thing.
  • Keep it concise. Make the policy readable and avoid legal-ese.
  • Even though you trust them, remind your employees annually (at a minimum) of the expected behavior.

And if you’re unable to do these things, at least you can be confident that your employees aren’t performing any prohibited behaviors on MySpace.

For further help on this topic, contact us!

Greg Handrick

Security Capability Leader, AERITAE