Policy Creation & Communication

Policy is a set of rules or guidelines by which certain things needs to done in certain particular way in an organization. Policies may be the best practices which are followed by many of the organization or it can be principles of functioning of certain organization. Policies are set of decisions which conform to the mission, philosophy and goals of the organizations.

Why does any organization need of a policy? The answer to this question can be as simple as to say to communicate to the users on an effective way of working. Some of the other objectives can be listed as below

• To define day-to-day operational activities
• A clear and meaningful response is defined for frequently asked questions by employees
• For legal and compliance requirements
• Includes warnings and cautions for any specific type of events which are against the predefined rules and guidelines of the organization
• Personal Code of Conduct for the employees as expected by the organization
• Define Work and Professional Ethics
• Creates a framework for handling issues as they arise

However, in the context of IT, the policies will have to be make sure that these are in line with tithe overall company objectives as well. Since most business is driven by IT tools, IT policies take more significance for the overall organization. For example the IT Infosec policy will play a major role in how network bandwidth is getting utilized. Security policies will play a major role in defining how applications are developed or which applications are selected for purchase. In some case even some business required functionality will have to compromise in case the selected application does not meet any of the IT policy requirements. Hence it is very important to make sure that a clearly documented policy should be available to the business whenever needed and it is the duty of the business stakeholders to review and update the policy as and when required. In some scenarios there might be need to create a new business policy to address some new issues for e.g. Employees spend lot of time on social media websites like Facebook, Twitter during work hours and because of it the overall productivity is going down and the confidential corporate data is also at risk. Hence the business stakeholder can take a decision of creating new social media policy which specifically mentions how much hours an employee is allowed to spend on social media websites or not allowed to at all depending what is decided. Also, the policy will mention what kind of data should not be leaked on the public forums etc.

Creation of a New Policy: Creation of a new policy is not a simple task of writing it down and informing the employees about the new practices or guidelines to be followed. It requires brainstorming on the consequences or the need of the new policy before formalizing it. The new set of rules should be in the favor of the organization, be beneficial to the employees and should aim to solve the problem for which it is being created. The new policy should be implementable, worth the effort and should not generate additional set of major problems which might affect the overall objective of creating the new policy. It should be in integration with other policies of the companies. Make sure the policy conforms to the legal and compliance requirements. Ensure it specifies what kind of actions will be taken if someone does not obey or violate the policy. It should be reviewed and all the points should be considered thoroughly before formally informing the employees about the new policy.

Communicating the Policy: A policy is just not a written document but a contract with the employees and hence all the employees should be made aware of the new policy. They should know their boundaries before performing day-to-day operations. The organization should distribute the IT policy among all the employees so that they can read and understand the terms and conditions defined in the policy. A regular survey should be conducted with the employees so that they can get their doubts cleared and agree it is beneficial for them as well as for the organization. Also this survey can help the organization also understand if any policy change needs to be made. If there is disconnect on some clauses or the entire policy is unfair as per the employees then the top management should to review the policy. For example marketing teams may require access to social media content in order to promote company product and services. In case a policy with a blanket restriction may not work and the policy would need to be tweaked to provide role based access. In this review process all the issues raised by the employees should be considered and the policy should be updated as required and in favor of both the organization and the employees. If required, training should be provided to the employees to make them understand the benefits of the new policy or changes in the existing policy. Once a agreed upon situation is achieved then a sign-off should be taken from each and every employee to ensure all the employees have understood all clauses, terms and conditions of the policy. There should be a complete transparency between what is being said and what is being followed. The policies should be stored on the secure corporate intranet and all the employees should have access to it whenever needed but the distribution of the policy outside the corporate network should be prohibited.

An effective policy is the one which is in favor of both the organization and the employees. Hence any changes in the existing policies or if a new policy is created has to be communicated to all the employees. Feedbacks on the policies should be discussed and be incorporated if beneficial for the employees as well as organization. Manage IT assists organizations in efficiently managing IT policies by providing IT compliant processes.

About Author:

Amol Bhembre is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at: amol.b@spluspl.com