IT Policy Framework

 Introduction

Information technology has a lot of impact on the modern world. Policies are required to regulate and guide the use of information technology systems. There a lot of benefits in following the accepted rules and regulations when using information technology systems. The cost of developing and implementing information technology policies can be costly, but it is worth the price, considering the extensive application of computers in the modern world. Computer misuse is on the rise. Many people are using a computer to advance personal interests and even attack others. Cybercrime is on the rise, with many people attacking business entities, people, or spreading false information. Various information technology experts are developing rules and software that will ensure the safety of computer users. However, with the dynamism of the computing world, improvements to enhance the security of a system become obsolete at a rapid rate.

There are many benefits to having policies and procedures when using computers and information systems. Having rules and procedures to guide the use of computers ensure all state are aware of their obligations about choosing what type of computer systems to use or safety mechanisms to embrace. Information technology rules and procedures have proven to be critical in enhancing the performance of computers and protecting users from malicious internet users. Many organizations are embracing the use of computers and carrying out significant transactions using computers. Computer policy varies and takes into account various issues. A lot of investment is also put into the development of computer software and the acquisition of computer hardware. With the massive investment, it is advisable to have policies that ensure proper use of the finances.

Acceptable Computer Use Policy

In general, acceptable use refers to the honoring the privileges of individuals who uses computer, the veracity of the corporal amenities, and all relevant warrant and contractual covenants. People who are is found to have violated the Acceptable Use Policy, a serious disciplinary action will be taken.

Computers must be used for the general good of everyone interacting with networks. Any activity that will affect other users of the laptop negatively is prohibited. Acceptable computer use policy seeks to ensure machines are in good condition for everyone and that the devices are secure and responsive to the needs of the work environment (Peltier, 2016). It is the responsibility of every user to ensure their personal information, such as passwords, is not shared through the computers. Inappropriate use of computers will not be tolerated. Improper use of computers including but not limited to; violations of other people’s rights by accessing their personal information wrongly or using computers to infringe on other people’s rights. Patented materials such as documents, published books, pirated songs, and movies should not be shared using computers. Computers should not be used to propagate a crime or encourage people to take part in criminal activities (Safa, Von Solms, & Furnell, 2016). Introduction of malicious programs into the computer or any device connected to the machines is not allowed. Consistently, the tool should be free from infections, worms, Trojan ponies, and mail bombs. Uncovering individual record subtleties, for instance, passwords are restricted and bring about the end of utilizing the computer.The sharing of offensive or sexual material using computers is not allowed under whatsoever conditions. Using computers to spread malicious content or misleading information will not be tolerated in any way. Everyone has a responsibility to take care of themselves and not bully others while using computers.

Access Controls Standards Policy

Access controls standards policy seeks to promote the security of computers by regulating who can use computers and the nature of operations or tasks to be carried out in a computing environment. Access control will be in two forms, namely physical access and logical access (Sentft, Gallegos, & Davis, 2016). Physical access control limits access to computers, building with machines and other material components used within the computing infrastructure. Logical controls try to restrict associations with computer systems, computer network frameworks, systems, framework records, and information (Safa, Von Solms, & Furnell, 2016). Electronic access control systems will depend on credentials, access card readers, and auditing and report to monitor or control the use of computers. Computer users will need to identify themselves before being allowed to use computers. It will be mandatory for users to have passwords that they will not be allowed to share with anyone else. There will be discretionary access control to ensure administrators of the computers establish some rules which every user must adhere to (Tirgari, 2012). Unauthorized use of computers is prohibited, and anyone found misusing the machines will be expelled from using computers. Passwords used in the computers must be of the desired length and requirement. Changes in computer passwords will only be changed after following a formal process. Access to confidential or restricted information is not allowed. Information on the computer should not be shared without approval. Access to remote users shall be subject to authorization by the administrators. Universal access control methods to be used will include explicit logon to devices, use privileged account limitations, firewall permissions, database access rights, and encryption (Caliz, Samaniego, & Caliz, 2016). All people’s access to a computer will need prior approval before using a system. Periodic maintenance will be done on machines to ensure installed software to control access of computers is effective.

Information Technology Planning Policy

Information technology planning policy provides a framework for acquiring and managing information technology based on the organization's technological needs. There should be an alignment of information technology investment with the objectives and organization of a company. Capital planning and investment control should seek to enhance the performance of an organization (Peltier, 2016). Established analytics systems will be used to evaluate policies and ensure it meets emerging information technology needs within an organization. An organization's performance and strategic positioning should be assessed and integrated into the information technology system of a company. Existing and emerging best practices should be reviewed and considered. Feedback from stakeholders should be sought to evaluate the performance of an information technology system. The cost and economic implications of using a given information system should be assessed against the projected benefits. When acquiring policies, all information technology procedures should be reviewed and adhered to (Sentft, Gallegos, & Davis, 2016). An organization can develop metrics, critical success factors, and key indicators to monitors an assess the results of systems to ensure it is operative. Security plans should be prepared before using methods and necessary steps taken to ensure the policies are updated based on emerging information technology needs. Security plans seek to protect the confidentiality of data of computer users and promote integrity. Every system should have reporting tools that will feedback be incorporated into a system and used for future planning activities. Evaluation should be a continuous process. Information technology is ever-changing with new threats and opportunities arising (Tirgari, 2012). With feedback from information technology users or people using a computer, security experts will know what should be improved or changed to enhance the security and safety of a system.

Hardware and Software Acquisition Standards Policy

Computer hardware includes desktops, computers, laptops, notebooks, printers, and other equipment and peripheral devices. Computers require periodic replacement of components that have worn out or malfunctioned. Hardware needs specific software to operate (Peltier, 2016). An organization should contact its information technology before initiating a process to purchase computers. Advice should be sought from the information technology department regarding the safety of systems, and the orders will be new or duplicative of another computer system already in existence within an organization. The information technology department should then verify a method to ascertain its safety and compatibility with other information systems in the organization. Technical specifications and standards of the new techniques to be acquired should be known. Auxiliary resources to be used with a system should be available (Sentft, Gallegos, & Davis, 2016). The non-conforming system should be disregarded. Vendors from who the information system is obtained should be certified to deal with the equipment. Vendors must have the technical knowledge of the system and be able to provide any assistance in case of system incompatibility. The software to be supplied must provide high-quality service that improves the existing technological environment. Demonstration of software is required before purchase. Incase data from an organization is needed for the development of a software or presentation; an organization should ensure only the required information is given a used only for the specified activity (Tirgari, 2012). Written assurance should be given stating how the information will be used and conditions that might lead to termination of the agreement to handle the information or use it in a specific way. Software quotes are based on system configurations and components the software will relate to.

Electronic Communications Policy (Email, Social Media, etc..)

Electronic communication has become a mode of communication for business and personal communication. Emails and social media have become the primary means of communication. Electronic comprehensive policy should be all-inclusive hence cover various aspects of communication and integrity of information. Electronic communication policy should have guidelines on the appropriate use of emails and social media platforms. Retention and internet policies should guide the use of the internet and the nature of communication (Sentft, Gallegos, & Davis, 2016). Content shared through emails should be regulated. Sharing inappropriate information through emails is prohibited. Email users should also not disclose personal information to strangers or share vital documents through emails. Social media users should be informed of the safety and security obligations required while using the internet for communication. The use of computers for minors should be monitored. Children should be guided on how to use the internet and the type of information they can share through the internet. Internet using policy should state what is allowed and what is not allowed (Caliz, Samaniego , & Caliz, 2016). Filtering software should be installed to screen information be shared using the internet to ensure only legitimate content is shared. While using social media, users should be encouraged not to share a lot of information that might expose them to people with malicious intent. With the increase in internet use, a lot of information is being shared via the internet. Computers users are thus becoming vulnerable to cyber-attacks. Hackers are developing sophisticated means of accessing private information and using it for personal gains (Tirgari, 2012). Organizations should install antivirus software on their computers to protect from malicious attackers. Bullying is also on the rise with the use of computers. Everyone using the internet for communication should be enlightened on the importance of using appropriate language that does not mean the offense of belittling others.

Data Governance Policy

A data governance policy is a documented guideline that ensures the effective management of digital information in an organization. The data governance policy primarily provides that organizational data is accessible, accurate, protected, and consistent. The system also illustrates individuals responsible for the information in each of the circumstances and procedures (Safa, Von Solms, & Furnell, 2016). Even though data governance policy is always documented, it is as well flexible, thus allowing for future changes. It is fundamental for every organization to create and maintain the set systems. Policies are termed as the general business rules and processes used by a firm to provide practical guidance. In data governance, various strategies are responsible for effective operations of the set programs. The data governance policy is essential in the IT department as it serves as the electronic storage for any organization. In general, the information administration arrangement addresses the structure introduced in the information administration database, including data access, data usage, integration, and data integrity.

Data access ensures that the employees are eligible for appropriate access to both the information and organizational data. Even with free access to data by the employees, it is necessary to recognize the company’s responsibility for the security of data. The guidelines and procedures set need not to interfere with the efficient flow of the organization’s business (Peltier, 2016). Therefore, the organization will protect the data assets using various security measures that only hide data information that is sensitive to the organization and only need to be known by a few people. The data governance policy will also ensure the inclusivity of the data usage policy. The data usage policy ensures that the data belonging to the organization are not abused or misused in any manner (Safa, Von Solms, & Furnell, 2016). Therefore, the policy will ensure that the personnel is ready to access and use data for facilitating the performances of the job functions. The authority of updating the data will be granted to data steward to reduce the probability of tampering with the company’s information.

Electronic Signature Policy

The electronic signature policy needs establishment based on the United States Environmental Protection Agency (EPA). The approach ensures the adaptation of electronic signature technology and the best practices in organizations (Peltier, 2016). Automatic signature policy transforms how organizations do their business. The electronic signatures not only eradicates the physically transmitting paper contracts but also haste up signature and sanction processes dramatically.

Moreover, it also facilitates a more comfortable flow of the workforce. A robust electronic signature policy is one that sets the guidelines for using the electronic signature. The set electronic signature policy also needs to comply with both the local and global laws (Caliz, Samaniego, & Caliz, 2016). In summary, therefore, an electronic signature policy provides requirements and guidelines for an organization to allow the employees to substitute the electronic signatures on agreements to manual trademarks, as illustrated by law.

 The electronic policy ensures that the information of the signer is encrypted and can only be known by the data management personnel. There is a high level of data privacy when dealing with electronic signature policy (Sentft, Gallegos, & Davis, 2016). Various types of signatures are used with a more profound consideration of the risk of value present in the transaction. The signature is a legal link existing between the signer and the third party in the purchase process. In the process of determining the type of signature used, various concepts need to be taken into consideration. Some of these factors include the legal requirements and business requirements. 

The legal requirements take into control the laws and statues presented in the signature. Therefore, the electronic signature policy development needs to align with regulations and statutes that are set with regards to an automatic signature policy. Additionally, the electronic signature policy also evaluates business requirements (Caliz, Samaniego , & Caliz, 2016). Electronic signatures are used in circumstances where there is a need for future risks or in business that are of high chances, and the negative impacts are likely to occur at any point in transacting the business. The IT organization is responsible for developing the electronic signature policy as a guideline to the purchasing department.

Change Management Policy

Change management policy describes the responsibilities, guidelines, and procedures followed when undertaking any changes in the company’s computer network. The change management policy is formulated to manage a method of change (Sentft, Gallegos, & Davis, 2016). Various factors are to be taken control of before the information is tested and approved before the installation and implementation period. The primary purpose of this policy is to ensure that all the elements of change in place. All the employees, consultants, contractors, and temporary workers can access the data in the network computer systems, but they need to adhere and follow the guidelines granted in the change management policy.

The change management policy provides an opportunity to apply upgrades, changes, and modifications in the environment of the data network. The system is in line with the changes that line within the context in which the data operates. Before the commencement of the change, the personnel in charge of the development of the IT network need to feel the schedule maintenance form (Safa, Von Solms, & Furnell, 2016). The supervisor also needs to sign the form. The signed document is then circulated to the employees to ensure that they provide ample time for such an activity to take place. It is necessary to inform the employees and the regular users of the data to make sure that the changes have done can be adopted in the network system.

The firewall changes are among the changes considered in this policy. The change management policy is followed anytime when there are firewall access changes in a company or organization. Before developing any changes in the firewall, the firewall change request form must be completed (Caliz, Samaniego, & Caliz, 2016). Consequently, any of the changes that are recorded in the firewall are recorded and preserved for future references. Documentation changes also take place in the entire IT department. The documentations in the organization requires the workers to understand the specific regions where the documents need to be placed.

Media Protection and Disposal Policy

The primary purpose of the media protection policy is to ensure that the organizational data is protected until the time when such information will be released to the public through an authorized dissemination channel. The controls in charge of data storage are to protect the electronic and physical media that is containing sensitive information (Peltier, 2016). The electronic media that should be protected under the media protection policy in the IT department includes memory devices in laptops and computers, transportable digital memory media, and digital memories. Protecting such media in the IT department will ensure the secure storage of electronic media within a physically safe area and controlled space. The personnel in charge of this policy need to restrict access to electronic and physical media to people who are unauthorized to access such data. The computers and laptops should be logged or switched off at any moment when they are not in use (Caliz, Samaniego, & Caliz, 2016).Subsequently, the media assurance policy also delineates that the printed version print outs should be kept up in a safe region where just representatives whose activity capacities require such information can get to.

The media disposal policy is also other mechanisms that are important and necessary in an IT department. The way the information in the media is disposed of help to protect the entire knowledge of the organization .All the electronic media in an association are overwritten in any event multiple times before the media is discarded or even discharged for reuse by unapproved people. The organization and workforce included ought to keep up and store all the composed documentation containing the steps utilized for disinfecting or wrecking the electronic media (Sentft, Gallegos, and Davis, 2016).The disposal of physical media shall take place securely at any moment when such media is not required for use. Without proper media disposal, it is straightforward for other organizations to access the information and secrets of the firm by access the network system of the given organization. Penalties are imposed on any IT employee who tends to dispose of the media without resorting to the respective supervisor or instead of following the right channel required at the point of eliminating the press.

Security Awareness and Training Policy

Most employees tend to think that the security of data information is not for the IT department workers. They fail to understand that a mistake done by only one employee from any department is capable of allowing hackers into the system. Security awareness and training policy is a vital policy for the IT department employees to maintain the security of data in the company (Safa, Von Solms, & Furnell, 2016). Implementing security awareness policy allows the impalement of security obligations among all workers. Security awareness is a workplace that indicates proactive approaches to the dangers of both online and offline threats. Nevertheless, to impose a security awareness policy, adequate security awareness training policy need to take place (Tirgari, 2012). The security awareness policy is implemented at different levels, including the general awareness of all staff, intermediate security awareness for the managers, and in-depth security awareness among the IT personnel who are the people who interact with the company data often.

The training policy should ensure that the involved parties are illustrated in the use of passwords as well as strategies that regard the validity and length of passwords. The training needs also to expound on the regions in the data management that contains the most sensitive information and ways of handling such confidential information. Through the training policy, employees will be able to understand the right procedure followed when disposing and storing any paper-based data. In case of suspicion on the hacking of cyber security, the employees are trained on the best channels used in the case of emergencies (Caliz, Samaniego, & Caliz, 2016). Adopting securing awareness and training policy allows the organization to become conscious of the physical and cyber dangers. The IT department and the organization, in general, will have an opportunity to identify all the company’s weak spots and work towards eliminating the weaknesses. Moreover, the management of the company will be able to choose the proactive measures rather than the reactive measures to security matters.

Conclusion

From the above discussion, it is evident that various policies guide the use of computers and information systems. The procedures are required to streamline the use of computers and protect users from malicious attackers who might wish to use computer and information technology systems to propagate criminal activities. As more people are connected to the internet, the more hackers’ device smarter ways of infringing on other people's rights by extracting their personal information for personal gains. Rules and regulations relating to the use of computers and information technology systems vary based on the nature of the machines, the information contained, or shared in the networks and location of the computers, among others. Governments across the world are developing rules and regulations to guide the use of computers. Instructions governing the use of computers and information systems are reviewed periodically to ensure they are updated with the evolving nature of cybercrime.

References

Cáliz, D., Samaniego, G., & Cáliz, R. (2016). Methodological Proposal of Policies and Procedures for Quality Assurance in Information Systems for Software Development Companies Based on CMMI. JSW, 11(3), 230-241.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & security, 56, 70-82.

Senft, S., Gallegos, F., & Davis, A. (2016). Information technology control and audit. Auerbach publications.

Tirgari, V. (2012). Information technology policies and procedures against unstructured data: A phenomenological study of information technology professionals. Journal of Management Information and Decision Sciences, 15(2), 87.