From the desk of: Sam C. Chan

General IT Policies for Client Firms

Originally Issued: June 3, 2004
Last Revised: February 25, 2006

Attention all staff members: We established these policies as a default baseline for all of our client sites. They're based on general IT consensus and current prevailing practices in United States. Your firm (and your particular branch office), your employment contract, and personnel handbooks might impose additional rules, or grant specific waivers, which override this general document. Use this as a basic guideline. When in doubt, always ask first!

What's allowed? What's not?

There are three main categories of rules for IT-related activities:
Customization, installation, and web site "surfing."
The few customization items allowed are listed below. All those not mentioned should be considered improper & disallowed. For installation and web surfing, the rules are best expressed not in simple yes/no, but in details showing various risk factors and levels. For explanations and how to interpret these risk factors, see legend below the 2 tables.

Customization/Personalization: (generally allowed, within good taste/judgment)
  • web start page (be sure to not leave a page unattended with streaming content)
  • windows color scheme (reasonable choice, not to interfere with IT support)
  • personal wallpaper (passive images files, never download .exe packages!)
  • change screensaver (but never install new unauthorized ones!)
Install Programs/Items A S C B T D O L
AIM, MSN/Yahoo Messenger                
VoIP clients                
any web "toolbar"                
music sharing (so-call P2P, we refer to them as APE)                
personal applications (including personal business)                
gaming applications                
webcam client software (including nanny/traffic cam)                
unauthorized remote access host/agent                
remote access client                
"desktop search"                
streaming radio/video player programs                
upgrade applications*                
upgrade/patch O.S.*                
security "fixes" programs (including "anti-spyware")                
store personal data files                
setup personal email account in Outlook/Exchange                
ftp server/client                
java applets (specific sites/programs)                
Sun J2RE (java virtual machine)                
business applications*                
Adobe Macromedia Flash/Shockwave                
Microsoft LiveMeeting (Placeware)                
Business-related site-specific active-X                
Approved online "security scan"                
pcAnywhere Active-X                
Visiting Web Sites A S C B T D O L
online/downloaded games                
music download                
celebrity sites                
job search/resume                
stock quotes/portfolio management                
sports, hobby, entertainment & leisure activities                
streaming radio/video                
news & weather (during breaks, while on-hold)                
personal email via web (occasional check)                

Risk Factors

A Attack Risk
S Stability (compatibility issues)
C Confidentiality (Info Leak)
B Bandwidth Consumption
T Time Waster
D Distractions
O Offensiveness to co-workers
L Legal Liability to the firm

Risk Level

Red Extremely High
Pink High
Yellow Moderate
Green Acceptable
Grey Not Applicable (none)

Dos & Don'ts: Generally, anything with one or more Red is automatically banned. Anything with all Green/Grey is generally allowed. Most pinks are also banned.

* Approved programs only, preformed by DIFA

The following items are not allowed:

  • Unauthorized backup/copy of company files onto any storage media, including diskettes, USB drives, CD or DVD discs.
  • Unauthorized replication of folders onto personal laptop/notebook/handheld devices.
  • Disabling or otherwise tempering with security devices and software settings, including firewall, changing of pre-assigned IP address, MAC address, etc.
  • Sharing account password with unauthorized co-workers.
  • Withholding security incident information from IT personnel.
  • "Borrow" company software for installation at home.
  • Disclosing forbidden items (per checks & balances rules) to IT personnel:
  • line-of-business operational secrets
  • confidential client data
  • financial information, including company credit cards, etc.

Checks and Balances Rules:

  • CTO/IT director has clearance and access to all user accounts on domain/server and all physical files, but not password to financial software.
  • CFO/office manager in charge of bookkeeping has clearance to all financial matters but not physical file access.
  • CTO must disclose master administrator password with CEO/owner, so that in the event IT key person is incapacitated or is terminated, the firm is not in limbo.
  • CTO, CFO & CEO must disclose any personal friendship or joint business ventures with any staff members.

Social Engineering Precautions:

  • Beware of spoofed email. When in doubt, voice verify.
  • Do not disclose any information to in-bound telephone calls, no matter how urgent- and authoritative sounding the party is.
  • Do not allow stranger with seemingly convincing "uniforms" and/or stories to have physical access of IT infrastructure: server, workstations, routers, power panel.

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us