IT Policies Every Small Business Should Have

Every company that uses computers, email, the internet, and software on a daily basis should have information technology (IT) policies in place. It is important for employees to know what is expected and required of them when using the technology provided by their employer, and it is critical for a company to protect itself by having policies to govern areas such as personal internet and email usage, security, software and hardware inventory and data retention. It is also important for the business owner to know the potential lost time and productivity at their business because of personal internet usage.

Consider the following scenarios, which are not uncommon in most companies:

  • Carol, in the marketing department, has a nine year old daughter who is selling gift wrap for her elementary school's annual fundraiser. Carol sends an email to the entire company letting everyone know the catalog is in the break room and they should email their orders to her within the next week. Is this an appropriate use of the company email system?
  • In the purchasing department, Bob's acquisition software is being updated. Unable to access it and thus perform one of the many functions of his job, he decides to surf the web while he's waiting for the updates to complete. He heard about a controversial video involving a celebrity and decides to see if he can find it. In the process, he finds several pornographic websites that catch his attention. Is this an appropriate use of the internet at work? What are the ramifications for Bob if a co-worker sees what he's found online? What are the ramifications for the company if that co-worker files a sexual harassment suit as a result?
  • Jennifer has just been hired as the first in-house graphic designer for a non-profit organization. Her start date is in one week and she needs to be ready to hit the ground running to design and produce a brochure for their capital campaign. She needs a Macintosh computer complete with graphic design software as well as email, internet access, word processing capabilities, and access to the network for shared files. Who will be responsible for purchasing, configuring, and maintaining her computer?

Without written policies, there are no standards to reference when both sticky and status quo situations arise, such as those highlighted above.

So, what exactly are the IT policies that every company should have? There are six areas that need to be addressed:

  1. Acceptable Use of Technology: Guidelines for the use of computers, fax machines, telephones, internet, email, and voicemail and the consequences for misuse.
  2. Security: Guidelines for passwords, levels of access to the network, virus protection, confidentiality, and the usage of data.
  3. Disaster Recovery: Guidelines for data recovery in the event of a disaster, and data backup methods.
  4. Technology Standards: Guidelines to determine the type of software, hardware, and systems will be purchased and used at the company, including those that are prohibited (for example, instant messenger or mp3 music download software).
  5. Network Set up and Documentation: Guidelines regarding how the network is configured, how to add new employees to the network, permission levels for employees, and licensing of software.
  6. IT Services: Guidelines to determine how technology needs and problems will be addressed, who in the organization is responsible for employee technical support, maintenance, installation, and long-term technology planning.

You may be overwhelmed by the thought of creating IT policies, particularly if you don't have a firm grasp of technology. The good news is that you won't need to draft these policies from scratch. There are several resources to help you in this venture. Here are just a few:

  • (
    Created by Right Track Associates, Inc. the purpose of this website is to bring practical information, and cost effective management tools to the IT and project management communities. While some of the information on the site may be a bit more technical than you are looking for, it does provide some great articles and templates to help companies standardize their IT practices.
  • Tech Republic (
    Produced by CNET Networks, Inc., "TechRepublic serves the needs of professionals representing all segments of the IT industry, providing information and tools for IT decision support and professional advice by job function." The site offers templates and packages such as "Small Office IT Policies" at affordable prices to get you started.

"Every situation and company is different," explains Mike Carpenter, Director of IT Services for Corporate Computer Services. "There is no 'one size fits all' mentality for IT policies. Every business should, at the very least, have the basics covered, but how they cover the basics depends upon the company's culture and business needs."


Having policies and procedures simply for the sake of saying you have them is useless. It may make you feel better initially, but just wait until an issue arises for which no policy exists. Most importantly, you need to have policies with some teeth. They need to work for your company and your employees, and they need to be enforced. If you are not sure how to do this, your company may want to employ the services of a technology consultant that can make recommendations for policies according to how technology is used on a daily basis for your business.

Whatever you do, don't delay. It could cost you. Forrester, an independent technology research company, estimates that the average company (yes, even small ones) loses $1,250 per minute of downtime. If you are hit with a major disaster and have no recovery or backup policy in place, you could lose valuable time, money and even your business.