According to AS8015, "Polices, should establish sound behaviour in the use of ICT." The policy needs to ensure that the way ICT is used by the organisation, doesn't breach legal and regulatory requirements or adversely affect the reputation or other interests of the organisation.
Directors need to ensure policies and procedures are not only developed but are integrated into the everyday business operations, which involve the use of ICT. Examples, of ICT use that policies and procedures need to cover include:
Today, websites and email are being used to do business. This has elimated paper quotes, invoices and receipts. However, records of these still need to be kept in order to comply with Taxation requirements. There is no silver bullet solution to this problem. It needs a conscious action by the recipient of the email to "file" the email, for retrieval later.
The use of organisational resources, such as Internet Surfing, Telephone and Email for personal purposes such as contact with family and friends, needs to be covered by policies to ensure that the organisation does have legal access to what could be perceived to be the employees personal information.
Business Continuity plans, like fire drills, need to be tested and practiced to ensure that people are able to fulfil their roles and gaps are identified. These plans need to be based on a risk analysis and be addressed accordingly. The likelyhood of an event occurring, the financial and human cost of a contingency plan needs to be balanced against the benefits.
