6 easy IT policies all companies should implement right away!

Many small businesses make the mistake of skipping over policies. They believe that formalities are not necessary. They will simply inform staff what is expected when it comes up, believing this to be sufficient. However, this attitude might lead to problems for small and mid-sized business owners. Employees are not mind readers; they may misinterpret your intentions. If you don’t have any rules in place, you risk being in a bad legal position if something goes wrong.

Did you know that three out of every four employees access their social media while at work? And of those, one-fifth spend an entire hour each day on social networking sites. In some workplaces this policy ignoring is a direct violation; however, other companies do not have any specific rules in place.

IT policies are key to overall IT security and comprehensive technology management–regardless of business size. This will get your company started as a guide for creating the most important IT policies for your company’s success.

If you don’t already have these policies in place, you should!

Password Security Policy


This policy will ensure that your company’s passwords are secure and up to date. It will also prevent employees from using the same password for multiple accounts.

A password security policy provides guidelines to your team for managing their login passwords, such as:

  • The recommended length for a password
  • How to construct complex passwords using at least one number and symbol
  • How to keep passwords safe and secure
  • The use of multi-factor authentication anywhere it’s an option
  • How often the password needs to be changed

Many of these things can be controlled through your domain controller or AzureAD. If you are using Office 365 but not utilizing AzureAD to manage sign-on, you should checkout this article: If you have Office 365, you should utilize Azure AD to protect your firm for free!

Acceptable Use Policy (AUP)

The Acceptable Use Policy is a broad policy that applies to the entire company. It explains how employees should utilize technology and data in their work environments. This policy will regulate matters like device security. For example, you might need workers to keep their devices up to date if this is necessary. If this is the case, it’s important that it be included in this document.

An AUP should include:

  • The company’s stance on data security
  • Guidelines for acceptable device usage
  • Internet and email use policy
  • How to report a breach in security protocol


Device Security Policy

This policy will ensure that all devices used for work are secure. This includes laptops, smartphones, and any other devices that connect to the company network.

A device security policy should include:

  • How to keep devices secure
  • What to do if a device is lost or stolen
  • How to report a breach in security protocol


Approved Software Policy:

This policy will ensure that only approved software is installed on company devices. This will help to keep the network secure and protect against malware.

An approved software policy should include:

  • A list of approved software
  • How to install approved software
  • How to report a breach in security protocol


Backup and Disaster Recovery Policy

This policy will ensure that all data is backed up and that there is a plan in place for disaster recovery.


A backup and disaster policy should include:

  • How often data should be backed up
  • Where backups should be stored
  • How to restore data from a backup
  • How to report a breach in security protocol


Cloud & Application Use Policy


This policy will ensure that only approved cloud applications are used. It will also help to keep data secure and protect against malware. “Shadow IT,” is a term for the unauthorized use of cloud applications by employees, and it’s become quite a problem in recent years. Some estimates put the percentage of company cloud usage taken up by shadow IT at 30 to 60 percent.


A cloud & application use policy should include:

  • A list of approved cloud applications
  • How to install approved cloud applications
  • How to report a breach in security protocol

Not only should it provide a way to suggest apps that would enhance productivity, but it should also offer a way to easily report any unauthorized usage.


Data Management Policy

How do you send data, transfer it or otherwise tell your staff what can and can’t be shared? That’s what a data management policy is for. You need to consider both internal and external data when crafting this policy.


When it comes to internal data, you’ll need to decide who has access to what. You’ll also need to set up guidelines for how that data can be shared. For example; you might want to restrict the use

of email for certain types of data. External data is a little trickier. You’ll need to decide how you want to share data with clients and vendors while still keeping it secure.


A data management policy should include:

  • Internal data guidelines
  • External data guidelines
  • How to report a breach in security
  • What encryption protocol will be used when sending sensitive data
  • Define what sensitive data really is (e.g., anything with login info or personal information)

This policy will ensure that all data is managed securely. This includes both physical and electronic data.


Wi-Fi Use Policy

When it comes to cybersecurity, public Wi-Fi is a problem. According to a recent poll, 61% of respondents said that workers use company-owned devices to connect to public Wi-Fi. This is a huge security risk, as public Wi-Fi is often unsecure. This could lead to potentially lead to leaked login credentials or stolen data.

You should remind employees that they must not use their connected devices to access company data when using public Wi-Fi. They should check the guidelines for each service individually before connecting to a hotspot or accessing any data on it. Often times the use of VPN is strongly recommended when accessing sensitive company data from public Wi-Fi connection.

A Wi-Fi use policy should include:

  • How to connect to secure Wi-Fi networks
  • When to use VPN
  • What type of information can be shared over Wi-Fi
  • How to report a breach in security protocol

Social Media Use Policy

Social media has become ubiquitous in the workplace, so it’s important to manage its use. If left unchecked, scrolling and posting could eat up hours of productive time each week. A social media use policy will help to keep employees focused on work while still allowing them to enjoy the benefits of social media. This can be done by limiting the number of social media sites that can be accessed during work hours, or by blocking social media sites altogether.

A social media use policy should include

  • Which social media sites can be accessed during work hours
  • How to access social media sites while at work
  • What type of information can be shared on social media


Get assistance making your IT policy documentation and security stronger.

AlphaCIS can help your organization address IT policy, find areas of improvement and fix any outstanding security issues. Reach out today to schedule a consultation to get started. You can also call us at (678) 619-1218