The purpose of this approval draft is to address three specific issues affecting our banking company. The draft outlines the major reasons why the company should develop the proposed policies. Overall, it contains three major policies. The first policy addresses data breach response policy that outlines the characteristics of the company together with what should be done once such issues arise in the company. Besides doing this, the policy identifies the parties that will be responsible for the implementation and compliance of the policy. It also identifies disciplinary actions that should be taken against employees that violate its code of conduct. The second policy addresses the shadow IT issue in the company. The policy focuses its attention on compliance issues and disciplinary actions that should be taken against employees that violate its code of conduct. It also focuses its attention on the actions that ought to be taken for its efficient implementation. Lastly, the third policy addresses issues relating to social media account. It highlights what employees ought to do and not to do any time they are at their places of work. It also highlights disciplinary actions that should be taken against employees that violate the code of conduct in the company in relation to social media.
Data Breach Response Policy
Over the last ten years, our company has computerized its banking system and there is no doubt that all its banking services are offered online. While this is a move in the right direction, it exposes our company to data breach. Mr. Manager I am sure that you understand that our company engages in banking sector with the following characteristics. Firstly, it operates in a business that handles almost 99 percent of its data in digital form. Secondly, it operates in a business that is highly sensitive to data breach. Thirdly, it operates in a business that from time to time relies on contracted services. Fourthly, it operates in a business that handles sensitive information from customers. Fifthly, it operates in a business that depends heavily on the goodwill of its customers and the members of the public. Aware of this fact together with the legal framework that regulates our business, there is need for our company to develop a data breach response policy. This policy would outline the manner in which the company should handle data breach issues that might arise (Swanson, 2001). By so doing, the policy will protect our company from cyber related attacks that might result from employees as well as contractors. This will not only protect our company from cyber related crimes, but it will also ensure that our employees act responsibly.
For this to happen, the following needs to be observed. Firstly, the company needs to hold employees and contractors responsible for their actions that result to data breach. Secondly, once data breach issue has been identified, the IT department needs to respond immediately and take the necessary actions. Thirdly, the IT department needs to notify the relevant authorities about the issue. Fourthly, this policy should be read and applied in conjunction with employment and contract acts. Fifthly, the risk of data breach should be evaluated as soon as possible and the right actions taken immediately.
The following groups of people will be responsible for compliance and implementation of this policy.
- The executive leaders that make decisions for the company will be incorporated in the implementation of the policy. These people will provide their support for the policy as well as provide resources and leadership when needed.
- The head of IT department together with the members of the IT department will play a major role in both compliance and implementation of the policy. They will ensure that employees observe the code of conduct by monitoring the system.
- The company’s lawyers will also be involved in the enforcement of the policy to ensure compliance. These people will work together with the IT department in developing the policy.
- There will be a disciplinary team comprising of the heads of IT and HR department. These people will be responsible for taking disciplinary actions against individuals that might violate the policy.
In case of compliance failure, the disciplinary team will take disciplinary action against the violator of the policy. The disciplinary action taken against such a person or body will be in line with employment act for employees or contract act for contractors (Swanson, 2001). Therefore, the decisions made by this team will be final and employees will be expected to abide by those decisions. For more information, questions relating to this policy should be directed to the head of HR department via this e-mail: firstname.lastname@example.org
Shadow IT Policy
At this age when people are so passionate about technology, our employees might be tempted to develop IT programs without the knowledge of the head of IT Department. If our employees are to do this, they might expose our company to cyber attacks. In addition, they might jeopardize the reputation of our company. While this is the case, the issue of shadow IT remains a threat to our company because it is unacknowledged and unmanaged. If we are to deal with it, we should start by acknowledging it. Then from there we can plan to manage it (Johnson, 2013). Unless we do this by developing this policy, we might leave our company vulnerable to this problem.
Mr. Manager you know that our company operates in a sector with three key characteristics relating to shadow IT. Firstly, you know that our business is founded on the trust we have developed with our customers over time. Secondly, you know that our company operates in a business environment that is sensitive to information fragmentation. Thirdly, you understand that the operations of our company rely heavily on the efficiency of our system. Therefore, if we are to allow our employees to develop IT programs on our system and get away with it; we might ruin our system. At the same time, if the members of other departments other than the IT department are to develop IT programs, we might expose our company to cyber threats (Johnson, 2013). More importantly, if we allow our employees to tamper with our banking system without taking disciplinary action against them, we might endanger the future of our company. Aware of this fact, I have developed a shadow IT policy that all employees need to observe in their daily practices. Compliance to this policy will be mandatory and any question relating to it should be directed to me via this e-mail: email@example.com.
For the implementation of this policy to be successful, the following needs to be observed. Firstly, only the IT department should develop IT programs on our system. Other employees should not do it no matter their skills in IT. Secondly, only the company’s management team with the help of the head of IT department should approve IT programs to be developed in the company. Once this has been done, the IT department should develop the programs that have been approved. Thirdly, any IT related question should be directed to the head of IT department. Fourthly, no foreign materials should be downloaded from the internet. Fifthly, our employees need to be accountable for their actions (Banks, & Banks, 2011). Sixthly, the IT department ought to monitor our system from time to time to ensure compliance. In order to ensure this happens all the time, the head of the IT department assisted by the IT department will ensure that employees observe the protocols of the policy. In addition, they will monitor our system on regular basis. In case of non-compliance, the disciplinary committee comprising of the heads of IT department together with the heads of the HR department should handle non-compliance issue. Any decision made by this committee should be final. As a result, employees are expected to comply with this policy without objection. Once again, any question relating to this policy should be directed to me via this e-mail: firstname.lastname@example.org.
Social Media Account Policy
In the modern society, the use of technology is growing rapidly. There are no indications that this issue is going to slow down any time soon because technologists are ever making new innovations. In the recent past, we had mobile phones that since we developed a policy on their use at workplace have ceased to be a bother to us anymore. Now we have social media platforms that influence the way people communicate. Although their invention is a great achievement to every one of us, their use might hurt the reputation of our company if we do not limit their use among our employees. Based on this understand, I propose to develop a social media account policy to control the way our employees use their social media accounts. As I develop this policy, I understand that our company engages in business with the following characteristics. First, our company engages in business of handling money that can be sensitive at times. Second, our company engages in business that is guided by legal framework. Third, our company operates in a business that has various regulations that need to be observed all the time. Fourth, our company engages in business that depends largely on reputation. Fifth, our company engages in business that requires a lot of precision. As a result of these characteristics, our employees need to comply with the proposed social media account policy because of two major reasons. Firstly, they need to protect the image of our company as they use social media platforms (Johnson, 2013). Secondly, they need to handle company’s information with respect it deserves as they use their social media platforms.
In order to protect our company’s reputation, our employees will do the following. First, our employees will not access their social media platforms using company’s computer devices. Second, our employees will not access their social media platforms during the working hours. Third, our employees will not post work related information on their social media platforms. Fourth, our employees will be restricted from posting images that might jeopardize the image of our company on their social media platforms. The head of the IT department assisted by the IT department will oversee the implementation of this policy. These people will also monitor the company’s system to ensure employees abide by this policy (Banks, & Banks, 2011). The HR disciplinary team, on the other hand, will be responsible for taking disciplinary action against employees and contractors that violate this policy. The company’s employees together with contractors will be supposed to comply with this policy. In fact, there will be no compromise in implementing this policy. Consequently, in terms of compliance, our employees will be supposed to adhere to the above code of conduct. If an employee does not comply with this code of conduct, he/she will be summoned by the HR disciplinary team for questioning. In doing so, the disciplinary team will inform the employee about the issue and caution him/her about it. However, this will be dictated by the impact of employee’s action depending on the determinations that will be made by the head of the IT department. The decisions made by HR disciplinary team will be final and employees will be supposed to abide by with those decisions.
Banks, T., & Banks, F. (2011). Corporate legal compliance handbook. Austin: Wolters Kluwer Law & Business.
Johnson, L. (2013). Computer incident response and forensics team management: Conducting a successful incident response. Amsterdam: Elsevier.
Swanson, M. (2001). Security self-assessment guide for information technology systems. National Institute Of Standard and Technology.