Exceptions to the Information Technology asset standards may be requested using the IT Asset Standards Exception Request Template. Upon approval of Information Technology Managers, ITAM101-3 IT ASSET STANDARDS EXCEPTION REQUEST should be submitted with the IT Asset Requisition/Disposal Form.
Exceptions to the Information Technology asset standards may be required:
To accommodate employee requirements, in which case the company’s HR Department should provide the Information Technology Asset Manager with the information necessary to appropriately address those needs in the standards; or
To further the company’s mission.
IT Asset Standards Exception Request Template Details
The Information Technology Asset Manager should document proposed Information Technology asset standards on the IT Asset Standards List Template. ITAM101-1 IT ASSET STANDARDS LIST covers workstations, servers, network infrastructure, printers, and more. The Information Technology Asset Manager should review the list with Information Technology Managers.
Information Technology Managers and the Information Technology Asset Manager should indicate their acceptance of Information Technology asset standards by signing the IT Asset Standards List Template. The Information Technology Asset Manager should keep the original ITAM101-1 IT ASSET STANDARDS LIST and distribute copies to Information Technology Managers and to Tech Support, recalling any previous versions of the list.
The IT BYOD Policy Procedure helps communicate specific standards and guidelines regarding the use of personal devices to conduct company business. Company employees and contractors may use their personal electronic devices (e.g., smartphones, tablets) for conducting company business, provided that they understand and agree with the “Bring Your Own Device” (BYOD) policy, have been granted express permission, and act in accordance with the policy.
Company employees and contractors may use their personal electronic devices (e.g., smartphones, tablets) for conducting company business, provided that they understand and agree with the “Bring Your Own Device” (BYOD) policy, have been granted express permission, and act in accordance with the policy. (8 pages, 1797 words)
IT BYOD Responsibilities:
All Employees are responsible for being aware of, understanding, and adhering to the company’s BYOD policy.
Department Managers are responsible for communicating BYOD policy updates to the employees in their respective departments.
The Human Resources Manager is responsible for communicating the BYOD policy to new employees and retaining employee policy acknowledgements.
The Information Security Manager monitors BYOD usage and enforces the BYOD policy
The Information Technology Manager (IT Manager) is responsible for developing BYOD policy and for reviewing the policy and any changes to it with the Policy Committee. The IT Manager also oversees monitoring and enforcement of the BYOD policy.
IT BYOD Definitions:
BYOD – Bring Your Own Device, or using one’s personal mobile phone, PC, tablet, or other personal electronic device to conduct the company’s business.
Policy Committee – A group comprised of Top Management and the IT Manager. The purpose of the Policy Committee is to develop, review, approve, and revise the company’s BYOD policy, as needed.
Top Management – A group comprised of the company’s chief executive and chief financial officer, at a minimum. In larger companies, top management may include department/functional managers (e.g., VP-Sales, CTO).
To be prepared for disaster – to best ensure the continuity of business, should a disaster occur – the company should develop an IT Disaster Recovery Plan Template. The company should implement ITSD104-1 IT DISASTER RECOVERY PLAN, educating employees in their roles and responsibilities; test the Plan, to see if it will ensure rapid and full recovery; and fix flaws identified in testing, to better ensure the Plan will work when it is most needed.
The company should establish an Information Technology Disaster Recovery Planning Committee (Information Technology DRPC), composed of key personnel from each functional area within the company (HR, accounting, sales, etc.) and an Information Technology Disaster Recovery Coordinator, who should chair the Committee. The Information Technology DRPC should meet to:
Analyze and discuss the information obtained by the Information Technology Disaster Recovery Coordinator;
Identify mission-critical systems and services, determining how long each business unit can survive without those systems/services in operation (conduct a business impact analysis);
Establish recovery priorities.
The Information Technology Security Manager should test Information Technology disaster response and recovery at least once every 12 months. The Information Technology Security Manager should also test response and recovery upon any changes to the IT Disaster Recovery Plan. The Information Technology Disaster Recovery Plan should be periodically (at least once every three years) subjected to a third-party audit, to verify that the Plan is clear, sound, and continues to meet company, customer, and legal/regulatory requirements.
If a document/change is approved, a Document Change Number (DCN) should be noted on the IT Document Change Control Request Template. ITAD103-3 DOCUMENT CHANGE CONTROL FORM and a copy of the (changed) document, along with appropriate approvals, should be submitted to the Document Manager for updating the document, indexing the revision, and updating the revision history. If the document (change) request is denied, the requestor should be notified of the reason(s) for denial.
The Document Manager should circulate the final document/revision in order to obtain the required approvals (signatures). When the required approvals have been obtained, the Document Manager should update the master document list with the correct revision number, last review date, and other required information. In the case of hard-copy documents, the master document (revision) should be stored with the master document list.
IT Document Change Control Request Template Details
Anyone may submit a new document or recommend a revision to an existing document, but the requestor must complete a IT Document Change Request Template. The ITAD103-2 DOCUMENT CHANGE REQUEST FORM should indicate the nature of and reason for the change, and be submitted with a copy of the recommended document (change) to the Document Manager.
In the case of hard-copy documents, the requestor should print a copy of the document, mark requested changes (if any) on the copy, and submit the document to the Document Manager for review. In the case of electronic documents, the requestor should, at a minimum, prepare the document and/or detailed list of changes and e-mail a copy of the document (and changes) to the Document Manager. If document changes are extensive, a new document may be typed and submitted with a copy of the original.
The Document Manager should maintain a master list of all controlled documents, the IT Document Control List Template. ITAD103-1 DOCUMENT CONTROL LIST should include at a minimum the following information on each document:
Date of issue;
Current revision number and date; and
The Document Manager should keep company documents in a secure location and control their availability and distribution.
Hard-copy originals shoud be in a secure storage area and control over copying and distribution should be exercised.
Electronic document location should be identified within the Document Control List.
The Document Manager should distribute hardcopy documents to locations specified within ITAD103-1 DOCUMENT CONTROL LIST and should remove and destroy any previous versions. External documents are controlled primarily for distribution purposes. All external documents and revisions should be added to the list as they are acquired.
Any employee who has evidence of an Information Technology security incident occurring or suspects such an incident may have occurred should notify the Information Technology Help Desk. The Help Desk contact should open an IT Incident Report Template and submit it to the Information Technology Manager to begin the investigation.
The Information Technology Manager should evaluate the information contained on ITSD108-1 IT INCIDENT REPORT, determine the potential for loss and the risk to the company, and assign the incident to the Incident Response Handling Team. The Incident Response Handling Team should survey the incident scene, determine what information will be needed to evaluate the incident (logs, audit trails, etc.), and preserve and document evidence.
The Information Technology Manager should review all Incident Reports to ensure incidents are handled in a timely manner, users are satisfied with the results, and that the company assets are protected from harm. Lessons learned, recommendations, and deficiencies should be presented to the Security Review Committee for discussion.
Information Technology Managers should oversee development and implementation of an IT Information Storage Plan Template that ensures data availability, confidentiality, and integrity. ITSD103-1 INFORMATION STORAGE PLAN should also:
Enable rapid and full recovery from natural or manmade disasters;
Ensure company compliance with industry standards and/or legal & regulatory requirements for data storage; and
Allow efficient, cost-effective data management.
Information Technology Managers should design the IT Information Storage Plan Template, with the assistance of the Information Technology Storage Librarian. Information Technology Managers should submit the Information Storage Plan to Top Management for its review and approval. Upon approval of the Plan, Information Technology Managers should communicate the Plan to the Information Technology Storage Librarian and should arrange for training, as needed.
Information Technology Managers should periodically (annually, at a minimum) meet with the Information Technology Storage Librarian to review the Information Storage Plan and determine its continuing suitability and conformity to company requirements and to ensure that data are retrievable and not in danger of loss due to technology changes.
The IT Network Map Report Template lays out the connections between the router, mail server, firewall, port switch, etc. Tech Support should update ITAM102-6 IT NETWORK MAP after installing assets.
If an asset is not being used or is not being used as specified (for example, IT Asset Inventory Database and IT Network Map are not in agreement), the Information Technology Asset Manager should take corrective action, which may include:
Taking the asset out of service;
Initiating an incident report, in accordance with the IT Incident Handling Procedure; and
Updating the IT Asset Inventory Database and IT Network Map.
Nonconformities and supporting evidence should be recorded on the IT Nonconformity Report Template and reviewed with the Information Technology Security Manager, to obtain acknowledgement of evidential accuracy and ensure that nonconformities are understood. ITSD107-2 IT NONCONFORMITY REPORT should be complete with the date, auditor, area/system, description of nonconformity, and supporting evidence.
The Information Technology Security Manager should meet with Information Technology Managers to review the IT Nonconformity Report Template (if one has been generated) and plan to take corrective actions, if required. If it has been decided to take corrective action, the Information Technology Security Manager should submit a corrective action plan, including objectives, actions, and deadlines, to the audit team leader.
Information Technology Managers should use the IT Outsource Due Diligence Checklist Template as a guide to determining the outsourcing candidates capability to provide goods or services. ITAD109-1 IT OUTSOURCER DUE DILIGENCE CHECKLIST covers company information, material contracts & agreements, litigation, and more. Information Technology Managers should identify and select outsourcers in accordance with the Vendor Selection procedure.
Consider negotiating a “money-back” guarantee with the right to audit any bill for up to six months. Request that all fees that are proven to be unnecessary or excessive be returned. The Ccmpany-outsourcer relationship should be managed so as to meet the company’s needs and requirements, conform to company budget requirements, and promote the company’s goals and objectives. This should be done by Information Technology Managers or an appointed representative, whose responsibilities should include:
Developing and maintaining mutual understanding and trust;
Communicating openly, clearly, and frequently;
Monitoring and measuring project progress clearly and consistently; and
Addressing issues promptly.
IT Outsource Due Diligence Checklist Template Details
Information Technology Managers or its representative should maintain an IT Outsource Record Template on every Information Technology outsourcer and every outsourcer record should be kept in an Information Technology Outsourcer file. ITAD109-2 IT OUTSOURCER RECORD covers outsourcer ID, outsourcer name, product/service description, IT project ID, and more.
Outsourcers should be evaluated on an ongoing basis, at regular intervals, by Information Technology Managers. Outsourcers should be evaluated on the basis of performance requirements (measured against Service Level Agreements) and conformance to company standards and policies. Any outsourcer found not in compliance should be handled in accordance with the IT Vendor Selection procedure.
The company-outsourcer relationship should be managed so as to meet the company’s needs and requirements, conform to company budget requirements, and promote the company’s goals and objectives. This should be done by Information Technology Managers or an appointed representative, whose responsibilities should include:
Developing and maintaining mutual understanding and trust;
Communicating openly, clearly, and frequently;
Monitoring and measuring project progress clearly and consistently; and
The IT Plan Review Checklist Template should be used to measure the Information Technology Plan’s performance against expectations. At established checkpoints in the Information Technology Plan, Information Technology Managers shouldmeet with members of the Information Technology staff to go over the ITAS101-2 IT PLAN REVIEW CHECKLIST.
At least twice per year (more often if deemed necessary), Information Technology Managers should coordinate a meeting, to be attended by Top Management. The purpose of the meeting is to review the Information Technology Plan to ensure its continuing suitability, adequacy, and effectiveness. This review should include assessing opportunities for improvement and the need for changes to the Information Technology Plan, including the Information Technology objectives.
The IT policy manual covers the common IT requirements and practices. This sample is intended only to provide an example of wording that might be used in an IT manual. This sample wording can be helpful in generating ideas for developing a manual for your own company. However, IT policies should be drafted, as appropriate and necessary, in a way that accurately reflects your company’s IT standards and requirements. (48 pages, 8443 words)
The IT manual establishes and states the policies governing the company’s IT standards and practices. These policies define management’s arrangements for managing operations and activities in accordance with computer industry practices. These top-level policies represent the plans or protocols for achieving and maintaining the confidentiality, integrity and availability of all IT Assets.
The purpose of this Information Technology (IT) manual is to define, develop, and document the information policies and procedures that support organizational goals and objectives. The policies and procedures provide:
A foundation for a system of internal controls;
Guidance in current Computer and Network activities;
Criteria for decisions on appropriate IT security; and
IT officers with direction and guidance in connection with those IT policies, procedures, and reports that should be uniform throughout the Company.
When consistently applied throughout the company, these policies and procedures assure that the information assets are protected from a range of threats in order to ensure business continuity and maximize the return on investments of business interests. All additional departmental or functional policies and procedures written should conform to and parallel the policies in this manual. All changes to policies and procedures are required to be reviewed to ensure that there are no conflicts with the policies stated in this IT Policy Manual. This policy manual covers:
The IT Post-Service Satisfaction Report Template should have the user’s order information before making contact. The Tech Support Manager should be responsible for contacting new users five to ten business days after an Information Technology asset has been serviced.
The contact should be made by Tech Support staff other than the person who performed the installation or other service. This contact should consist of an introduction of the Tech Support representative and the purpose of the contact. ITAD110-1 POST-SERVICE SATISFACTION REPORT provides a script for the person contacting. The Tech Support representative should feel free to speak in a conversational style, substituting words or phrases in the IT Post-Service Satisfaction Report with those the representative feels the user will be more comfortable with.
The length and format of the contact should be determined by the user and the representative should always respond appropriately, according to the needs of the person being contacted. Upon completing the contact, the representative should ensure the completeness of ITAD110-1 POST-SERVICE SATISFACTION REPORT. If the representative encounters any unusual or informative items, requests, or comments by the user, this report should be copied to any interested parties (e.g., Sales, Engineering, Quality Control). The report should be forwarded to the Quality Assurance Manager for review and possible action.
IT Post-Service Satisfaction Report Template Details