Small/start-up Co. IT policies?

Small company with three partners that is going to grow quite quickly over the coming months. Using Google Apps for Business, through Google Chrome/Android or iOS apps or Safari etc.

No hardware restriction on users as the google experience is pretty much platform independent and we have at least one freak who uses Apple stuff. Some users will be using their own hardware, others might be given a chromebook (likely) or maybe a windows laptop (possible) or Macbook (over my dead body).

Im just drafting a note on some IT policies. Doesnt need to be too restructive but it would be good to have something to point at if something goes wrong. Mostly it’s about managing files in Google Drive and sharing etc and not using non-commercially licensed stuff for business.

What would you put in, in simple words, to cover things like user obligations on anti virus (Apple? Chromebook? needed?), or not using P2P, grot on company BB connection?

There will be NO restrictions on watching TdF or listening to spotify or online radio, or having STW forum up, natch.

Goat pr0n only at lunchtimes/evenings.

You will struggle unless you can control local admin login. Otherwise people will install what they want including P2P clients etc and disable any virus protection you put on.

For it to be worthwhile it will end up quite long and detailed. Its a bit like saying I want to learn how to fly a plane but keep it simple and low on detail.
Dont mean to be negative but these documents are often long and boring for a reason

Sounds more like acceptable use policies.

However, as a starter for IT policies, SANS are excellent for stuff like this.
http://www.sans.org/security-resources/policies/

allthepies – Member
Goat pr0n only at lunchtimes/evenings

and you may only slag off your company or customers on the internet if pissed – and it has to be funny

its not intended to be a policy document like a law, more a guidance of acceptable behaviour and principles of process/use.

Its not for a big faceless corporate, this is to make sure some 50+ year olds dont keep key documents stored ont heir local drive or launch exe files that arrive in their inboxes 🙂

Something along these lines, define your SHALL’s and MUSTS – and include other topics such as mobile usage, teleworking, electronic comms

this should give you a starter though

ACCEPTABLE HARDWARE AND SOFTWARE USAGE
Only corporate systems SHALL be connected to the corporate network.
User SHALL NOT install and connect network devices such as WLAN Access point to the corporate network.
Equipment, information or software of the group MUST not be taken off-site without prior authorization.
Employees are not allowed to install non-authorised software. Software SHALL only be acquired through sources defined by information technology, to ensure that copyright is not violated. Any maximum number of users permitted by a licence SHALL NOT be ex-ceeded.
All employees, contractors and third party users MUST return all of the organization’s assets in their possession upon termination of their employment, contract or agreement.

MALICOUS CODE & VIRUS PROTECTION
Employees MUST make sure to always run the standard, supported anti-virus software as available from the corporate download site
Employees SHALL NOT open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then “dou-ble delete” them by emptying the deleted items folder.
Employees SHALL delete spam, chain, and other junk email without forwarding, in ac-cordance with the Acceptable Use Policy.
Employees MUST NOT download files from unknown or suspicious sources.
Employees SHOULD avoid direct disk sharing with read/write access unless there is an absolute business requirement to do so.
Employees MUST always scan a storage device from an unknown source for viruses be-fore using it.

Also have a look at Insightly for a CRM. Free for 3 users, then builds slowly. It looks OK to me.

If there is only 3 of them why don’t you just talk to them?

All business software not bought through the business must be checked for licenses.
Name your AV to use
Nothing illegal/dodgy on the work machines no P2P software etc. (I know there are sensible and good reasons to use it but do it at home)

You may want to consider a Social Media “policy” too, had some great fun trying to re-bottle a few genies for clients recently.

cheers guys.

I think some may have missed the nature of the IT system – there is no corporate network “at risk” unless you count the Google Apps system. The only bit of hardware in the office will be a Broadband Router and maybe a few additional WiFi access points.

Moses – thanks for the tip, I shall have a peek.

DT78 – talking to them is a matter of course. The document is intended to be codify good practice and be used to guide new hires. We may end up at 10+ people within a year.

mike – I came to the same brief list of points as you and was wondering if there were others in a similar vein that I missed. Since you stopped there, I think Ive probably got the key ones and arent missing any glaring policies. Thanks.

I insisted that own machines must have working AV and a full scan must be carried out before connecting to our network. Slightly different as we have office IT and have to satisfy the PCI version C assessment.

DT78 – talking to them is a matter of course. The document is intended to be codify good practice and be used to guide new hires. We may end up at 10+ people within a year.

tbh Better to ‘install’ good practices from Day One than try and change bad practices later.

For a starter for ten, I’d ensure that you’ve something in place to ensure that backups of data is automated and offsite and that one of you (initially) takes on the role of IT Guru and ensures that a single AV solution is installed, used and maintained.

Also agree an email format – firstname.secondname@company.com/co.uk.

We may end up at 10+ people within a year.

*swoon*

With regard to AV, rather than get everyone to take responsibility for their own protection (a big risk IMO), I’d recommend having a look at Webroot Endpoint protection – ideal for what you have. It’s a cloud-based / SaaS AV package with a very small footprint. You have central management via the web and the machines protected don’t neccessarily need to be on the same domain or network. It also protects android devices

http://www.webroot.com/gb/en/business/products/endpoint/

We’re using it here across 50+ devices and have to say it works really well. Reasonably cheap and there is a free trial available – it runs happily alongside other AV too.

Edit – can also be used on Mac (and android using an add on), but not apparently on Chromebook yet.

I wrote our companies first IT policy about 13 years ago, it was about two paragraphs long and something along the lines of: Back things up to the servers and don’t do anything illegal or which could bring the company into disrepute.

I’d follow the Charlie the Bike Monger / SSUK approach and sum it up in a single line.

“Don’t be a Dick”