I’ve often imagined the ideal IT usage policy, but I never thought a company I worked for would be the one to compose it.
Before anyone accuses me of sucking up, let me point out that I once wrote in great detail about the IT policy at my previous employer, while I was still employed there. For those who missed it, the policy was illustrated by a cartoon character based on a padlock (who I nicknamed Paddy), described by our company as “The Cautious User of Information Systems.” This helpful guide was not distributed to employees (even new hires) but printed out and secured by a thumbtack to the bulletin board of our office kitchen. Even a year after leaving the company, I’m certain Paddy is still hanging there, waiting for some attention.
Contrast that with what arrived in our e-mail inboxes this morning. “Updated Internet usage policy,” the subject line began, before reminding us that everyone here is responsible for complying with the policy in full. It came from human resources, and the first line indicated our key contact for questions or clarification (which is our manager, not the beleaguered IT department). Those were the first things they did right. But there’s much more.
The entire policy – which really governs our overall use of IT, not just the Internet – is one page long. I was expecting an attachment to download, and was delighted when there wasn’t one. Although it gets into specifics around Web surfing, e-mail and instant messaging, the overall guidelines have been summarized into three easy-to-remember bullet points: don’t do anything that interferes with the operation of the company; don’t waste any of the technology resources available to you; and, don’t flout any digital copyright laws.
I’ve been managing staff long enough to know what people look for in these kinds of documents – punishments – and the company did not force them to look very far. An escalating three-phase approach is both standard and fair, and leaves no room for misunderstanding. The other question on everyone’s minds is how much (if any) employee surveillance is going on? Our company was up front about it: they’ll do it if they have to, and we should be prepared for it if they do. Assuming you’re using IT resources for business purposes, that shouldn’t cause undue fear.
Perhaps the trickiest area was around non-business use of IT. To paraphrase, the policy puts it this way: we know you’re going to do it, but just don’t do anything that forces us to have to pay attention. The policy assumes common sense, and in doing so shows respect for the employees that follow it.
Does it cover all the bases? Of course not. Is there room for improvement? For sure. There will be new technologies, emerging user behaviour patterns and security vulnerabilities we can’t even imagine at this point. IT usage policies are invariably works in progress. In this case, however, I think the work done so far is pretty solid.