IT policies and procedures are not “set and forget” documents. Discover why they need to be reviewed regularly and learn some tips on how to do so.
Businesses sometimes create IT policies and procedures and then forget about them. Reviewing IT policies and procedures is important for several reasons, including:
- Keeping IT systems running optimally. Companies create IT policies and procedures to help keep their IT systems running efficiently and securely. If these documents are not updated to reflect changes made to the systems, problems might arise. For instance, if a company starts collecting additional personal data from customers, it should update its privacy, data governance, and other applicable policies and procedures. Otherwise, the data might not be properly collected, cleaned, secured, used, and stored. This could lead to security vulnerabilities (e.g., improperly stored data) or data integrity issues (e.g., the new data cannot be combined with existing data because of formatting inconsistencies).
- Complying with regulations. Regularly reviewing and updating certain types of policies is necessary for compliance to some regulations. For example, businesses that process or store the personal data of European Union (EU) citizens must comply with the General Data Protection Regulation (GDPR). One of the main requirements is that companies have privacy policies that tell EU citizens what data it is being collecting about them and how their data is being used, secured, shared, and stored. So, if a business starts collecting additional personal data from EU citizens but fails to update its privacy policy, it could be fined for noncompliance with GDPR.
- Avoiding lawsuits. Businesses can be held liable for outdated, vague, and inconsistently enforced policies. For instance, a US jury awarded $21 million in damages to a woman who was struck by a Coca-Cola delivery driver who had been talking on her cell phone at the time of the accident. The plaintiff’s attorneys successfully argued that the company’s mobile phone policy for its drivers was vague and that Coca-Cola was aware of the dangers of distracted driving but withheld this information from its drivers. As this example illustrates, it is important for companies to periodically review their IT policies to make sure they are clear, current with the times, and consistently enforced throughout the workplace.
At least once a year, you should review your company’s existing IT policies and procedures to make sure they are up-to-date and relevant. This is also a good time to determine whether any new policies need be written. For instance, if you recently permitted employees to use their personal smartphones for work, you can use this opportunity to discuss the need for a Bring Your Own Device (BYOD) policy to govern the use of employee-owned phones in the workplace.
In addition, it is a good idea to test certain IT policies and procedures before the review process if it has not been done recently. For example, you could test the IT disaster recovery plan and procedures by holding a drill. Besides identifying problems with the plan and procedures (e.g., phone numbers that are no longer correct), the drill will allow employees to become familiar the process. This will lessen employees’ stress in the event of an actual disaster, which can lead to a faster recovery time.
If changes need to be made to an IT policy or procedure, you should:
- Assign someone to make the changes.
- Make sure the updated documents are reviewed and approved by the appropriate people (e.g., human resources staff, legal team).
- Share the updated versions of those documents with employees.
Retest the policies and procedures if applicable.