Implementing Information Communications Technologies (ICTs) in an organization is one thing, getting the organization to use it for the intended purposes it is another. When you visit some offices, you will notice staff entertaining themselves on Facebook, chatting through Yahoo! Messenger, emailing pictures to friends and family, or playing online games. All of these occur during work hours! Even worse, in some offices you find staff watching Nigerian movies (NOLLYWOOD) on their PCs or laptops. And with the 4G/3.9G modems that are on the market today, more musical video downloads and Skype video conferencing (non-work related) have become ubiquitous. Upon seeing this, you begin to wonder whether there are any controls regarding the use of ICTs in the organization. In today’s article, I discuss ways to develop an ICT policy to govern the use of ICTs within an organization.
Undoubtedly, today’s workforce is one characterized by an increased use and familiarity with digital communications, social networks, instant gratification and a 24/7 always-on connected lifestyle. The phone (mobile or desk phone), e-mail and the Internet are the most important communications tools used in the workplace today. In a nutshell, the workplace is continuously being defined by increasing flexibility and mobility, where employees are able to work however, wherever and whenever they choose.
But all of the developments that ICTs bring do not come without risks, especially when employees in an organization are given no limits on how to use these tools. The improper use of ICTs bring about negative impacts the organization’s mission and goals: employees tend to loose productivity due to time spent on social media in the workplace, incidents of malware directly attributed to the use of social media through the organization systems tend to increase; violation of privacy policies attributed to information shared on social media sites goes on the increase and so on. Oftentimes, technical solutions such as the installation of firewalls and other security applications are implemented to address these problems. But those measures are never enough, hence, the need for an ICT policy.
As the ICT department tries to meet the needs of the workforce, it also needs to develop policies to ensure the acceptable uses of ICTs within the organization. Developing an ICT policy for an organization is as important as having any other policy within the organization. Note also that, an effective policy allows the organization to define how and for what purposes ICTs will be used, while also providing the opportunity to educate employees about ICTs and the risks and reward associated with them.
Developing and implementing an ICT policy can also be difficult as there are no quick-fixes or one-size-fits-all solutions that can suffice for every organization. This is because every organization is different, and the approach taken to meet objectives and/or ensure compliance will vary from one environment to another, even those in the same industries. But several basic things need to be done to ensure that the organization’s ICT policy works. These include: building executive support, building consensus among stakeholders by involving them in the process, including the right contents in the policy, performing an internal and external research, drafting and ultimately disseminating the policy.
Building executive support means gaining the blessings of top management. No policy will succeed without the support of senior leadership. Therefore, the senior leadership is needs to understand the necessity of developing and maintaining an ICT policy; whether it is for compliance, cost reduction, security, Total Cost of Ownership (TCO), Return on Investment (ROI), avoiding liability, and so on. In fact, the senior leadership should participate in the introduction of the ICT policy to the organization to ensure that everyone has a clear understanding of the purpose of the policy.
Building consensus among the stakeholders is also very important since the policy will affect them. As the policy is being developed all stakeholders must be involved in the discussion of its establishment, and this can be done by creating a committee. This committee should consist of the owner of the policy, subject matter experts, frequent users of the policy, and representatives from groups affected by the policy. Including the Human Resources, Financial, and Legal departments is also a good idea. This will ensure the policy being developed is fully understood by everyone concerned and that it has their backing once it is implemented. A broad base of support is one of the best assurances for policy success.
The contents of the policy is another “component” that must be taken seriously since policies differ from organizations to organizations. But basically, the policy should include a statement of purpose, description of the users affected, history of revisions (if there are any), definitions of any special terms, and specific policy instructions from management. Additionally, performing an internal research is also imperative to developing a good ICT policy. This means an understanding of the organizations mission, goals, and culture must be gotten prior to the development of the policy. This will ensure that the policy works for and with stakeholders, rather than against them. Now, while the goal of the policy is to create a more compliant and secure environment without making things overly difficult or incomprehensible for the stakeholders, the contents of the policy should clearly state that inconveniences in terms of usability will be inevitable.
Upon drafting and finalizing the policy, the policy should be reviewed by the organization’s legal counsel to ensure that it complies with Liberian laws before disseminating it to employees. The completed policy should often be reviewed to make sure it continues to comply with applicable laws and the needs of the organization. New laws, regulations, and court cases that emerge after the completion of an ICT policy have the potential to affect it.
In terms of dissemination, it is advisable to request the Human Resource department to provide a hard copy of the ICT policy to users and have them acknowledge receipt of it. Require users to sign a document of acknowledgement to be placed in their individual personnel files. Subsequently, the policy must be placed on the organization’s Intranet, if there is one, or somewhere prominent. Stakeholders must be reminded about the ICT policy periodically though e-mails and short training presentations either on the intranet or during workshops.
Finally, a good and regularly reviewed ICT policy can be both an effective employee relations tool and a helpful defense against lawsuits. This policy should explain clearly what kind of user behavior is acceptable and what is not. For example, no user is allowed to install his/her own copy of Windows 7 on the organization’s computers; or chat on Facebook during work hours. Hopefully, the injection of an ICT policy in your organization will save the organization from litigation, reduce cost, etc., and not make users/stakeholders hate the ICT department!