Recommended IT Policies For Small Business In Canada

IT Policies for small business Canada cover

Technology management is complex. Clearly defined policies provide clarity. Below is a list of some of the more common useful policies for Canadian organizations to help you manage technology, security and expectations.

Recommended IT Policies

BYOD Policy

The legal agreement defining the use of both personal and business cell phones to access company data or perform work functions. It should be documented, applied to every device, and in accordance with your compliance and security needs.

Staff Onboarding Policy and Template

A set of procedures and policies which ensure that new employees effectively start with all the technologies needed to do their job. Should be custom by role, documented, followed, and refined with each new hire.

Staff Offboarding Policy and Template

A set of procedures and policies which ensure that exiting team members leave the organization with no remaining access. Should be used for every staff member exit.

Device Onboarding Policy

The specific set of procedures and policies used to configure all new computers for your organization. The aim is to ensure similar builds to reduce friction, ensure all applications needed for work are installed from day one, administrative access to install any other apps is removed.

Apps should be vetted by IT staff prior to installation to ensure they meet your organizations compliance needs and, are in fact the authentic app, not a lookalike malware app

Password Policies

Your organizations’ approach to password enforcement, complexity, and management. A healthy password policy is established and defined in your company handbook and is implemented.

To improve password security, you can use a self-hosted password manager to reduce your risk and attack vector. We like BitWarden.

You can also improve security with password less access using Single Sign On across the software and apps your team uses the most. We do this for our Toronto Managed IT Services clients. Talk to us about IT management for your organization.

Acceptable Use Policy (for company computers and email)

A set of policies dictating appropriate use of company equipment, accounts, services and systems. High risk websites such as many social, entertainment and dating sites should never be accessed from company devices, even if using a personal log in.

AI Use Policy

A set of policies dictating appropriate use of AI, LLM, and tools such as ChatGPT for business purposes, or with client data. Developers have been clear that information collected is not secure or private. Verbatim entries have been leaked. Have a clear, well define policy on if and when staff are permitted to use AI tools, in what fashion, with what data etc. Also create an AI disclosure policy to make your clients aware that your company uses AI tools, and in what ways. 

Social Media Policy

The legal policy addressing modern social media account activity as it relates to your organization, typically defined in a company handbook.

Employee Monitoring Policy

Canadian organizations with over 25 employees may now be subject to legal requirements to disclose to employees if they are being monitored during work, and in what ways. Review your requirements and create a policy to share with staff and new hires.

Secondary Employment Disclosure Policy

With the rise of work from home, reports of staff working two jobs simultaneously have risen. You may wish to update your HR policies with clauses pertaining to a need for employees to disclose potential secondary employment so that your organization can assess risk, conflicts of interest, protected information etc.

e-Transfer / Wire Transfer Protocol

If e-transfers or wire transfers are used, the process should be documented, require authorization by multiple staff members and be regularly used. An increase in fraud is happening where false invoices and purchase orders are being used to steal money from businesses.

Breach Protocol

The set of policies and processes used to handle breaches. data leaks, financial fraud via cybercrime etc. Should be documented, well-defined, validated by a legal professional and reviewed regularly with all staff so they know what to do in the event of a breach.

Tips For Managing IT Policies In Your Small Business

Depending on whether you allow staff to use personal devices to access company and client data or enforce the best practices of having only company owned computers touch company data, you may want to have some or all of these policies outlined in your company handbook.

It’s good practice to have all staff read each policy and provide a signed read receipt of understanding and agreement to uphold the policies. This can be a part of your new employee onboarding process.

New employees have a lot of information coming at them at once, and not all of it will be retained at once. As we learn in layers, reviewing the policies again during and at the completion of the probationary period can help new staff with awareness and adoption of these important policies.

Things change over time. We all forget details. Set aside time to review these policies with your team on an annual basis. 

Refresher meetings help everyone to better understand important policies that protect your business.

If you prefer to minimize the number of meetings you hold, you can distribute the policies as an e-course which staff can complete asynchronously.

Remember to update and modify documents as needed, and collect new read receipt signatures or course completion certificates as needed.

For Comprehensive IT Services that include modern security and standardized practices for all the technology-based policies outlined above, speak to our team here at TUCU today. We help Toronto based business with IT Security Management. 


More Posts

Free Consultation

Get IT Solutions for your business.