An acquaintance of mine told me a story of how he continued to receive a salary from an employer 4 months after he left the organization complete with statutory deductions including HELB loan repayments. We have also heard of incidents where an employee is fired and he ends up ‘locking’ up ICT systems by changing passwords or refusing to share the passwords, sometimes leading to loss of business or information. Worse, some organizations have slowly bled to death due to frequent flouting of ICT policies leading to loss of money and customers. In fact, most fraud incidents today involve the improper use of ICT systems because of the lack of or poor policy implementation. Think IFMIS/NYS.
On the surface, these staff exit related examples might seem like the failure by the HR or IT department in ensuring proper exit of an employee or the proper use of ICT resources. But deeper, they point to a more critical and dangerous state of affairs: The lack of or the failure to adhere to ICT policy best practices.
What is an ICT Policy Document?
The Oxford English Dictionary defines policy as “A course of action, adopted and pursued by a government, party,ruler, statesman, etc.; any course of action adopted as advantageous or expedient.” Adding ICT to it, the definition can be thus: an ICT policy is a roadmap with specific actions and best practices towards the adoption, use, maintenance and value extraction at reasonable cost from ICT resources. Every action taken in the organization that uses or impacts ICTs must be guided by this policy.
As you can see above, without an ICT policy, there will be no roadmap on how and why an organization should adopt ICTs. At the bare minimum, an ICT policy document for an organization should include the below:
- Scope and objectives of the policy document: This defines the reason why the document exists, it’s target audience and what the document covers.
- Technology adoption roadmap: This gives a clear definition of where the organization is and where it wants to go in the short and long term as far as ICT is concerned. For example; is the organization moving from an in-house data center to the cloud? it must be in the ICT policy. Is the organization trying to change the ICT department from being a cost center into a revenue generator? It must be in the ICT policy.
- ICT best practices in relation to the organizations objectives: These define the do’s and don’t’s for the organization as a whole (and not the individual ICT user in that organization). For example; is the organization outsourcing its sensitive data analysis to a third party? This must be specified in the ICT policy. Is the organization allowing personal devices such as phones (BYOD) to connect to the office WiFi? This must be specified in the ICT policy.
- Precautions and disciplinary measures: This section details the rights and obligations of ICT users with punitive or damage preventive measures for failure to follow the laid down ICT policies by a member of staff. The severity of the punishment should commensurate with the risk or exposure the company suffers as a result of the failure to follow the laid down processes.
Checks and Balances
A policy document is just that; a document. It has to be operationalized through the implementation of systems, processes and a mindset change to ensure its success. Many organizations have well written but poorly implemented ICT policies. This poor implementation is often as a result of failure to interpret the policy into well understood rules and regulations. A policy begets regulation, which in turn begets directives. A directive like “No member of staff shall copy into a portable disk, any document, software or multimedia that belongs to the organization…” should have stemmed from a regulation that bans the use of portable drives in the work environment. This regulation should have stemmed from the policy that states “The organization, shall treat all the organization information with utmost care, protecting it from unauthorized access or modification both in storage and in transit”.
But what happens if all the above exist and members of staff still carry around USB drives containing the organization’s data? This is where checks and balances come in. the CIO can go a step further and disable all USB ports from accepting portable drives. He can also go ahead and have the system send an alert to the relevant IT team should anyone attempt to connect a portable drive to a company computing resource.
Future Proofing ICT Policies
A good ICT policy document should be future proof and technology or vendor agnostic. This is to say that it should desist from mentioning vendors or particular technologies. These details should be in the subsequent documents that emanate from the ICT policy document. These include but are not limited to:
- The ICT resources user guide. This is what many confuse for an ICT policy, Its more of regulations than policy. This gives details of how the organizations ICT resources are used with best practices. This is the document that entails regulations such as social media use in the office, BYOD rules, Email etiquette etc. It also specified specific do’s and don’t’s when using the organizations ICT resources.
- The Technology adoption plan: This is the short and long term plan of how various new technologies will be adopted and integrated into the existing systems. It gives solid reasons and timelines for this, showing the entire ICT use lifecycle. Technology adoption should not just be for the sake of it or because there is a newer, shinier technology in the market. Technology adoption should take into consideration the competitive advantage the organization is going to earn from the adoption and capex and opex availability.
With ICT becoming an integral part of doing business today and the digital transformation that enables it, it’s very critical that CIOs are in control of the direction and pace of ICT adoption in the organization. This control cannot happen without a policy in place. The CIO can adopt the best ICT systems with good intentions to help the organization, but without an ICT policy, these systems will serve as a conduit for fraud, information assets and eventual revenue loss to the organization. If your organization does not have an ICT policy in place, Its time to have one.