By means of company policies, companies, in addition to specifying the correct way to perform activities, can provide technical and organisational indications for the use of ICT tools, thus preventing the risks associated with dangerous behaviour with reference to the company's cyber security profile.
In order to have effective company policies to protect the company's information assets, the entrepreneur must clearly identify at least the following elements
any specific limits on Internet surfing - with reference to times, accesses, downloads, uploads etc. - explaining, for example, whether or not the employee may use the company's tools to make on-line purchases, including those of a personal nature;
which categories of websites the company considers reliable insofar as they are related to the business activity and, therefore, permitted and legitimately accessible by the worker. When this requirement is guaranteed upstream by the IT manager through the use of automatic filtering systems, the entrepreneur must specify to the worker the presence of these filters or of the other systems adopted, capable of preventing access to certain sites considered dangerous for the company and/or the downloading of unsafe files, attachments or software and so on;
if and when it is possible to store files of a personal nature downloadedfrom the Internet or from e-mail on the company's internal network
what is the time limit for storing surfing data from individual workstations and whether the anonymisation of such data is guaranteed (a measure which would guarantee the protection of workers' privacy, enabling checks to be carried out on the IT system without it being necessary to identify what each worker has visited and when)
whether and to what extent it is possible to use the company e-mail account for personal reasons;
who can access the information stored on the IT tools entrusted to individual workers in the event of their prolonged absence or the need to carry out urgent technical checks on the IT network (e.g. in order to protect it from an external attack)
whether and what information can be retained for longer than the ordinary data retentionperiod generally set by the company for the needs of, for example, backup, network management, logging of *file logs
whether and to what extent the employer reserves the right to check/control the computer tools entrusted to the employee, with the specific and detailed indication of the relevant access modes
what technical solutions have been identified by the company to guarantee the continuity of the company's work activity in the event of the employee's absence: e.g. automatic responder or automatic forwarding to another mailbox, etc.?
the internal prescriptions to be observed for data and system security.
In order to give greater persuasive force and cogency to these internal rules of conduct in the use of the company's ICT resources, it is advisable that the entrepreneur qualify any violations of the company's policy as a real disciplinary offence, subjecting the prescriptions to specific sanctions.