On Tuesday, March 9th, Loom’s Chief Technology Officer, Vinay Hiremath (@vhmth) announced on Twitter that the video messaging app had suffered a security incident.
After a configuration change to their content delivery network (i.e., CDN), some users on Loom’s technical team noticed they were being served other users’ sessions — that is, you’d log in & instead of your own videos & clips recorded with Loom, you’d be able to see other users’ accounts and videos.
Within 27 minutes of being alerted, they disabled their application and reversed the settings that caused the error. Three hours later, the error was fixed, cached user data was cleared for all users & Loom was back online.
By March 9th, Loom’s CTO Vinay Hiremath notified users & published a detailed thread on Twitter explaining exactly what went wrong—all within 48 hours.
In comparison, when Equifax was hacked in September 2017, 145.5 million customers’ Social Security numbers, birthdates and sensitive data were exposed — but Equifax didn’t notify their users until a month later. When the dust settled, they settled a class action lawsuit for $675 million for their customers' damages.
The significant difference between both companies’ handling of these security incidents was their IT policies — while Loom’s policy helped them pinpoint the issue and remediate it in <4 hours, it took Equifax weeks to do the same thing.
That’s why IT policies matter. They help employees in growing companies figure out how to use and manage technology assets, respond to security incidents and emergencies, restrict access to sensitive information and ensure business continuity when disasters occur.
What are IT Policies?
IT policies are general guidelines on how to manage technology resources inside a company, including:
- Acceptable use cases where company devices, SaaS subscriptions, and servers can be deployed.
- Defining and restricting access to confidential data and how to handle sensitive documents and resources.
- Standards operating procedures that explain how to use and secure device passwords, firewalls, networked hardware wireless network usage, etc.
- Physical security standards designed to protect company hardware from damage, theft, or unauthorized access.
- Step-by-step incident response guidelines that explain what steps stakeholders should take in the event of a breach.
IT policies help medium and enterprise-scale companies create scalable and reusable procedures for responding to change —they serve as set-and-forget manuals different departments and teams can rely on instead of starting from scratch whenever there’s a change to onboard new employees, grant them access to technical resources, use a corporate device outside the office (i.e., remotely), respond to a hack or malware attack, etc.
IT policies vs. SOPs: What’s the difference?
You might wonder, “doesn’t that sound like standard operating procedures with extra steps?” After all, as the name implies, standard operating procedures are a set of step-by-step instructions that explain how routine tasks are carried out.
Now, we have to establish that while IT departments also have SOPs for managing technology assets, they are used differently from the way policy docs are used.
While SOPs & IT policies are pretty similar, the difference is right there in the definitions — IT policies are general guidelines that are strongly suggested, while SOPs are detailed, step-by-step instructions a user must follow for a process to be successful.
And, very importantly, SOPs are designed based on past experiences, while IT policies are usually industry best practices created from the beginning.
In summary, SOPs are:
- Designed to solve future problems based on experience.
- Built for specific, complex tasks.
- Usually written by stakeholders who’ll be using them or at least will be involved in using them.
On the other hand, IT policies are broad and very generalistic, and they’re usually based on industry best practices. While SOPs are often rigid and must be followed sequentially, IT policies can be flexible in exceptional situations that are not covered by the policy.
We’ve published dozens of in-depth guides on SOPs, including one that explains the difference between SOPs & policies in detail and why you need both as part of your knowledge management strategy.
Why do IT policies matter?
IT policies help growing companies protect their technology infrastructure, data, and intellectual property from cyber threats, regulatory violations, and other risks.
For instance, a five-person startup made up of engineers and a designer may not see the need for IT policies & SOPs—they’ve all been working together from the start and no doubt, everyone knows how to update subscriptions, secure their device, evade phishing emails, pay vendors compliantly, and not misuse company resources.
At that stage, it doesn’t even make sense for hackers & ransomware vendors to attack you — you’re just not big enough for them to bother.
But, once you start scaling up and you’re at 51 - 200+ employees, everything can get messier. You now have a mix of non-technical employees who can’t figure out basic technical details that developers and hackers take for granted; there are dozens of middle managers who have the authority to hire freelancers but don’t know how to do it compliantly; a few employees using their corporate email addresses for private conversations, and; a higher risk of being attacked by hackers, malware, etc.
It’s not a matter of if but when emergencies will arise and you don’t want to be left unprepared when it happens.
IT policies serve as a second brain where growth-stage companies can store best practices for managing technology assets, whether it’s setting up a new hire’s laptop or pushing code to production.
1. Speed: IT policies help enterprises make changes quickly
IT policies proactively plan for changes, emergencies, and crises before they happen. As a result, there’s a game plan ready to swing into action the moment you confirm changes to your operations, whether you’re onboarding a new hire, resetting device passwords after a security incident, or onboarding a third-party vendor.
IT policies help businesses default to action. Otherwise, large enterprises spend days (or weeks) debating with their legal team, making up ideas on the go, and delaying endlessly.
2. Enhances security & data management
The first line of defense IT policies offer is that they help you restrict who can access sensitive information, both within and outside your company. This is achieved with policies designed to address remote device access, perimeter security (i.e., offline device security), password management, and VPN usage.
But there’s no guarantee your security won’t be breached sometime in the future. Or, as former FBI Director, Robert S. Mueller, puts it, “There are only two types of companies: Those that have been hacked and those that will be hacked.”
Yet, combining data encryption, information security, identity theft protection and remote access policies can help your technical department minimize damage and remediate impact if and when bad actors access your technology infrastructure.
IT policies increase the barriers to entry for malware and bad actors and make it easy to pinpoint & eliminate them when they manage to infiltrate your company’s technology layer.
As your company scales up, it gets harder to track whether employees are adhering to applicable regulations and compliance standards. That’s the biggest blackhole where policy violations originate, and according to an April 2021 survey of missed compliance obligations by Gartner:
- Thirty-two percent of employees surveyed said they couldn’t find relevant information when they missed a compliance obligation.
- Twenty percent didn’t recognize information was even needed.
- Nineteen percent didn’t remember.
- The remaining 29 percent of employees who missed a compliance step said they didn’t understand (16 percent) or failed to execute it (13 percent).
Or put simply, most employees actually want to follow compliance guidelines if they can find helpful documentation to guide them. IT policies serve as beacons that explain your approach toward regulatory standards, why they exist, and the consequences of not applying them.
What key areas should your IT policies cover?
Your internal policy strategy should cover all the branches of your technology infrastructure to ensure your technical tools are used responsibly and protected from unauthorized access, theft, or sabotage.
Software usage policies explain what type of conversations your employees are permitted to use their corporate address for, which websites they’re allowed (or prohibited) to access., how they can use your company’s SaaS subscriptions, etc.
Security incident response policy
An incident management policy describes how your company intends to observe, prevent, and mitigate software-related incidents, such as data breaches, ransomware attacks, insider leaks, distributed denial of service attacks (i.e., DDoS), or physical hardware theft.
Mobile device management
Device management policies lay out how company-owned devices should be used, including who can access them, how they’re issued to new hires, and a course of action for recovering them after a staff is dismissed or decommissioning them when they’re at the end of their lifetime.
Whether you're planning for natural (flooding, cyclones, earthquakes, etc.) or man-made (power outages, sabotage, ransomware attacks, etc.) disasters, a recovery policy outlines a business continuity plan your employees can execute, as well as a course of action to help you weather these potential interruptions to your operations before they occur.
For instance, if you run a data center, your disaster recovery plan in the event of a regional grid failure might include backup generators, a solar array, industrial inverters, etc.
Bring your own device policy
Suppose your employees are permitted to use their personal devices for work. In that case, a BYOD policy outlines the steps they must take to connect to your company’s technology infrastructure, log into accounts, download sensitive files locally, etc.
The benefits of using Scribe for IT policy development and management
Scribe is a new, faster way to document procedures. The extension and desktop app enable you to build how-to guides without breaking up the flow of work. Just click record and let Scribe do the rest.
Here's one in action.
And with Scribe's Pages feature, you can combine Scribes with video, images and more to create your policy framework. Take a look at our template policies already available in Scribe's template gallery.
Here are some of the many ways your team can benefit from using Scribe.
Speed: Scribe reduces the time teams spend on SOPs by 93 percent
Depending on the level of your experience (in your particular field), the size of your organization, and the number of scenarios you’re trying to cover, it can take between four to six hours to several weeks to draft an IT policy guide. And whenever requirements change, you’ll typically have to consult with stakeholders again to update your IT policy guidelines to meet your organization’s use cases.
That’s, perhaps, the biggest advantage Scribe offers over a traditional policy draft — speed. Instead of slowly trying to explain 3D situations to your users via text, with Scribe, you can record your screen in one click. Scribe will automatically annotate, caption and turn those recordings into step-by-step user guides in just minutes.
You don’t need to screenshot pages individually: once you turn on Scribe’s recorder, it captures every action you take on screen and turns it into a written sequence users can follow.
Or, as Sidd Hora, a Sales Operations & Enablement Manager at Crosscard puts it,
“With Scribe, I didn’t have to take the screenshot. I didn’t have to put an arrow to tell the reader to click this button. I didn’t have to describe the process. It made my life quite easier by using the product.”
Before switching to Scribe, Crosscard’s sales team had to create and annotate documents before pasting them into Confluence. But, since they switched to Scribe, it takes 93 percent less time to screen-capture sequences, convert them to guides, and embed them inside Confluence and Crosscard’s knowledge management platform, Guru.
According to Glassdoor, an IT director earns $176,665 per year. And, for all that, they’ll be hard-pressed to create or update more than one policy per week, given the number of stakeholders they have to consult and edits to be made as IT requirements change.
On the other hand, you can get Scribe's Basic Plan for free, with Pro pricing for individuals at $23 per month and teams at $12 per month, and for less than a quarter of an IT director’s hourly wage, our product helps companies of all sizes democratize SOPs so that anybody can create and edit them.
Scribe simplifies knowledge management so that anybody on your team can create, edit, and access guides, SOPs, and policy drafts, as long as they’ve been given access to your knowledge base.
Scribe helps managers of teams of all sizes to collaborate with members, leave suggestions, and restrict certain users' access (i.e., to either read-only or edit) to your Scribes.
Scribe integrates with the rest of your software stack so that you can embed Scribe guides in Airtable, Notion, SharePoint, Coda, Zendesk, HubSpot, or Salesforce.
Scribe’s third-party integrations are a superpower that enables you to host your policy guides inside the apps your employees use daily. This reduces discovery friction and makes it easy for users to have a second brain they can consult in a few clicks.
Supercharge your policy management with engaging, step-by-step IT policy guides
IT policies are designed as backup plans for responding to change, mitigating emergencies, and scaling up growing companies. Really, you can’t scale up effectively if your IT policies aren’t designed to react quickly enough to changing circumstances.
IT policies help growing companies react to change quickly, but it seems ironic that you might spend a week or more creating these policy drafts — and even when you do, they’re filled with corporate jargon and look like intimidating walls of text!
With just a click, Scribe will capture everything you engage with on-screen and turn it into an engaging step-by-step guide with screenshots, captions, and highlights — in just minutes.
And, of course, it's totally free to get started now!