In this blog, we will take you through how to make guidelines for the use of IT in your organisation. Having this kind of document can help strengthen the cybersecurity in your organisation. You will be guided to use our template, which you can find further down this page. We also have a template to create a IT security policy which you can find here. Both documents are vital tools to achieve a good cybersecurity culture in your organisation.
When you work with cybersecurity in your organisation, it can be very useful to have both a IT security policy and guidelines for IT use. With a policy and set of guidelines, you provide a clear set of expectations, which will strengthen your security.
The purpose of a IT security policy is to provide a general framework for the organisation that includes objectives and delegates the responsibility for cybersecurity within the organisation. The policy is a small document with only a few pages. It is viewed as a management memo with ambitions for the organisation’s cybersecurity measures.
The guidelines document is more extensive and includes rules and guidelines, which the entire team must follow. Where the policy is general and strategic, the guidelines document is concrete and actionable. (If you would rather see the tutorial for making policies, then click here)
In this blog post, we will go through the template for Guidelines for IT Use and discuss what to be aware of when you create these guidelines for your organisation.
While the IT security policy creates a strategic framework, the guidelines document defines specific rules to follow. Basically, what should be incorporated into one’s daily routine while working. For example, it can include guidelines about the length of passwords, clean desks, or private use of company equipment, like laptops and smartphones.
The purpose of the guidelines is to create the field for the organisation to play on. The purpose of the guidelines is to provide clarity for all members of staff, so the guidelines should be easy to understand and follow.
For the guidelines to be successful, nobody in the organisation should ever be in doubt about whether they are breaking the rules and should be able to easily navigate through their daily work life in a secure way. Additionally, the document should be concise, as too many rules can lead to worse cybersecurity, as one could simply forget them because of mental overload.
It is important to point out that the following points should only serve as an inspiration for your guidelines. You have your own context that perhaps only makes some of the rules relevant to you. We recommend taking what is relevant to you, add your own rules, and remove the rest.
The templates contain the following items:
Guidelines and principles:
The template contains two overall points, where guidelines and principles have 10 focus areas for the rules in the organisation. We will go over each point below.
Guidelines and principles:
First, we should provide a purpose statement. Generally, this should state that the document is a set of guidelines that are expected to be followed by all staff of the organisation. This is where the framework for the document is set. We give an example here:
“X focuses on ensuring the availability, the confidentiality, and integrity of its systems and data. All staff must act in a responsible, ethical, and legal manner. All X staff, consultants, and temporary staff are required to manage knowledge with care and discretion, whether written, electronic, or verbal.
Therefore, the handling of must be per X’s information security policy as well as following the listed guidelines and principles. To ensure this, the staff of X are continuously trained and made aware of topics within cybersecurity and the GDPR with continuous training.”
The purpose statement lays down the basic rules for use of IT in organisation X and explicitly states the expectation of the staff’s continuous training and awareness.
The guidelines and principles point out specific rules to follow when using IT systems in the organisation. Here, we have added 10 points as examples with some principles to follow.
Confidentially is normally included in employment or projects contracts, but it is still useful to state it in the guidelines to emphasise its importance. It states that the organisation expects confidentiality from its employees when it comes to confidential information, e.g., customer information. We give an example here:
“You must handle all of X’s information with discretion and care. Under no circumstances should you access or use information, systems, or networks that are not necessary for your job. Do not share confidential information with colleagues, consultants, or temporary staff who do not have a job-specific need for this information. You may not share confidential information with third parties unless it has a clear business purpose. When working with external parties, they must have signed a declaration of confidentiality. “
This section is where the organisation can set requirements for the users’ access codes. For example, you can state requirements for the length, use of digits, or characters. You can also encourage people not to reuse passwords. We give an example here:
“All passwords and PIN codes are personal. To create a strong password, we recommend a long password of at least 12 characters, using both uppercase and lowercase letters, and numbers. When leaving your workstation, you must log off or lock the machine. Never have passwords on written on bulletin boards, paper or stored on hard disk/e-mail.”
The physical framework deals with how to handle information, data, papers either physically on one’s desk or in the physical space of the organisation. We provide an example here:
“Please ensure that your desk is organized and that there are no important documents in plain sight when you are not using them. Confidential information must be placed in locked drawers, cupboards, or the like to avoid unauthorized access. At the same time, be aware of the visibility of your PC screen. You should not have confidential and sensitive data open when unauthorized persons are behind you so that they can watch your activities over your shoulder.”
This section deals with how to handle equipment and documents when outside of company/organisation premises, e.g., when working remotely. More and more companies recently have had to concretely define this, as working from home has become a necessity.
Here, there may be some different expectations than on premises and mainly focuses on securing the organisation’s equipment. We provide an example here:
“If you bring IT equipment outside of X’s premises, it must be secured with a pin or password that ensures a sufficient amount of security against access by unauthorized persons. When flying, mobile equipment and documents must always be carried as hand luggage. “
Nowadays, we use cloud services and software can be quickly downloaded from the internet. Therefore, it is essential to make some general rules on what types of services may be used and downloaded, as it can be incredibly difficult to control and keep track of your team’s activity. We give an example here:
“All IT systems, equipment, or memory storage devices must be approved by X and follow company standards as issued. Never connect unauthorized equipment to workstations or networks. This also applies to USB keys and smartphones. Additionally, you may only install or download programs if you have been permitted to do so.
Software and equipment are the property of X and must be treated accordingly. Therefore, they must not be lent to others including family. For data handling, you must use X’s internal file server. Use of cloud-based services such as Google Drive, Dropbox, and web-based file sharing is only allowed if receiving data from external parties. It is not permitted to upload X’s data to unauthorized services. The software must always be used according to the license terms entered by X.”
User credentials deal with how user management should take place in one’s IT systems. For example, multiple users could share user information and make use of each other’s logins. We recommend that you may only use your own user credentials so that you do not get into trouble because of the actions of others. We give an example of the guideline here:
“User rights must be respected, therefore only use your own user credentials to log in. Never share your user information with others, including your employer. Misuse of credentials and digital activity can leave digital traces that have a negative impact on X.”
Here, you can discuss best practices and limitations for digital activity on company-owned equipment. It is important to set realistic expectations, and some of these can be common sense. For example, it would be outrageous to ban visiting specific public websites or checking one’s private e-mails, but you can limit the level of private consumption during work hours. Needless to say, illegal websites and activity should be banned. However, it is up to your organisation to specify these rules where your team still have some freedom, but you draw a line somewhere. We provide an example here:
“Please minimise the private use of the Internet and e-mail on X’s equipment. For personal documents, save it locally in a folder on your computer and label it ‘Private’. Personal data must not be sent by e-mail. Under no circumstances, may work-related online correspondence take place through anonymised communication channels. It is strictly forbidden to use X’s e-mail accounts, computers, tablets, and mobile phones to view pornographic, racist, extremist, or criminal content. When receiving an e-mail, the sender’s e-mail address must be checked before unknown links and documents are opened.”
This is to communicate that you as the organisation can log and monitor your team’s digital activities. It does not necessarily mean that it is routinely done and more importantly, you respect your team’s privacy. But by bringing it up to their attention, you could encourage them to act accordingly. We provide an example here:
“X respect the individual employee’s privacy and complies with local laws and regulation. However, we reserve the right to log IT use and in special circumstances, require access to an employee’s e-mail and files.”
The handling of personal data is closely aligned to the GDPR. Normally, compliance with the GDPR requires more elaborate processes than a set of rules in a document for IT use. However, the guidelines are still a place where employees can be made aware of the handling of personal data with some very general requirements. These requirements do not say much about the processes that make you comply with the requirements but can create awareness of the importance of handling personal data. We give an example here:
“At X, we are very careful to take good care of and protect the personal information that our customers, members, employees, and partners have entrusted us with. We work continuously to develop and implement secure processes, which must ensure the legal and secure processing of personal data.
The last point is to illustrate how to report security incidents. It should be a requirement for employees to report safety incidents that they observe or are exposed to. You can provide examples of what a security incident might involve and to whom they should report. The important thing is that your team is aware of when to act and who to address. We give an example here:
“If you suspect of any security incidents, you must immediately report this to your immediate manager and the IT department.”
The guidelines make it possible for your team to easily check what they can or cannot do. However, it is important to point out that this effort cannot stand alone; you cannot just write down the rules and expect everyone to abide by those rules. Your team must be trained on a continuous basis to ensure that awareness is always there.
The IT security policy and guidelines provide a strong foundation for creating a good cybersecurity culture in your organisation. If you have now prepared and would like to get started with the IT security policy, you can find a similar guide here.
It is important that the documents do not just lie and collect dust when you have filled them out, but that you continuously review and update them. We recommend that you do this annually. Additionally, we must work actively with the objectives and guidelines from the two documents, so that the cybersecurity culture is enforced.
We hope you found the template and guide useful!
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.