Writing Nonprofit IT Policies and Procedures

As with any operation, your IT department becomes more difficult to manage the more it grows. If you’re the part-time techie at your nonprofit, you don’t need a lot of elaborate policies and procedures. However, if there are seven IT staff and 60 regular employees in your organization, it’s more important to have some written statements regarding rules and expectations. IT policies usually serve several purposes. They protect your organization legally by specifying the behaviors that you allow and prohibit on your network. They manage employee expectations by specifying the IT department’s priorities, obligations and response times. Finally, IT policies promote accountability and effectiveness within the IT department by establishing baselines and benchmarks.

Why Formalize Your IT Policies and Procedures?

Ensuring fairness.

Without some forethought and a written policy, you’ll open yourself to charges of favoritism. Why was Barbara’s PC fixed before Cindy’s even though Cindy submitted her request first?

Managing expectations.

Policies and standards give your employees some idea of what to expect. End users know roughly how long it takes to fix or replace a hard drive, how long it takes to order a new monitor, make a change to the Web site, etc. They also know what activities are permitted and which ones aren’t. They know what software is supported, what software is tolerated but not supported, and what software is strictly forbidden.

Establishing measurable goals.

Policies and standards give managers a benchmark they can use to measure performance.The document that outlines these goals is usually referred to as a Service Level Agreement (SLA).

Protecting yourself legally.

If the worst happens and an employee or guest uses your computing resources to break the law or harass someone, a signed Acceptable Use Policy (AUP) can help to minimize your exposure and liability.

Improving communication.

If you establish and document a clear, consistent help-desk workflow, you’ll minimize on the frustration that end users feel when something goes wrong with their computer.

What’s your Help-Desk Workflow?

Do you have a central point of contact for staff members with a tech support problem?

If some of your colleagues email Marty, others email Jane, others use the phone, and others just drop by the help desk, support issues are more likely to get lost or delayed. Consider designating a single digital point of contact (for example, an email address or a Web form) and a single analog point of contact (for example, a phone number).

What information should end-users provide?

End users without a technology background often have trouble describing their problems and framing their questions. They often leave out crucial information and use vague or misleading terminology. Your IT policy and procedure documents can include pointers about what information to include in a help-desk request. Of course, many people don’t read policy documents so it’s more effective to build guiding questions into the forms that staff members use to submit their requests.

How do you distribute help-desk requests?

If you have more than one person in your IT department, you want to allocate incoming requests so that you take advantage of everyone’s strengths while also keeping the workload well-balanced.

How does IT communicate back to the end user?

Do they send a reply to each support request indicating that the message was received? Do they periodically send updates if the problem can’t be resolved in the first attempt? Do they check up afterwards to make sure the problem was resolved to the end user’s satisfaction?

Do first-level IT staff know how to escalate a problem?

In other words, if a technician can’t solve a problem, who do they turn to? It may vary, depending on the type of problem. Sometimes they’ll escalate to another tech, and other times they might escalate to a vendor or a consultant.

What Are Your Help-Desk Priorities?

A simple first-come, first-serve queue makes sense for some problems. But if your Web site is offline and someone is having trouble changing his desktop background image, which problem should you address first? If your Web server and your mail server are both giving you trouble, which one should you fix first? Is a manager’s request automatically given a higher priority?

Help-desk policies often define different “impact levels.” For instance, a problem that affects multiple users or the entire organization has a higher impact than something affecting one or two people. A problem with no workaround has a higher impact than one with a workaround.

Furthermore, help desks frequently distinguish between problem tickets, which render a critical component inoperable, and project tickets, such as the installation of new software or the creation of a new user account. Problem tickets usually receive a higher priority.

Should You Have a Service Level Agreement?

A Service Level Agreement, or SLA, goes beyond a simple statement of priorities. An SLA specifies specific, measurable goals for your IT department to shoot for in terms of reliability and response times. For instance, an SLA might guarantee that the organization’s Web site will be available 99.9 percent of the time. Or you might promise that IT staff will respond immediately to top priority requests and within 24 hours to all other requests.

Of course, you have to talk to your IT staff to find out which objectives are reasonable and which ones aren’t. Also, as you’re establishing these goals, ask yourself how you’ll measure your team’s performance relative to these goals. Help desk management software automates the tracking and reporting of help-desk response times, while network monitoring and network management tools can help you track the performance of key resources such as your Web server or your email server. SLA 101 from ComputerWorld offers some additional advice on Service Level Agreements, and you can find dozens of examples on the Web, such as this one from Earlham College.

What Do You Expect from End Users?

Your help-desk policies can also include information about what employees and guests can do with your IT resources. What activities do you ban outright on your network? What activities are allowed but not supported? What hardware and software do you explicitly and fully support? Furthermore, your policies can include a description of the proper procedure for submitting help-desk requests and equipment purchasing requests. Organizations often collect these guidelines and restrictions into an acceptable-use policy or a computer use policy that every new employee has to sign and agree to. Spiceworks and SANS (267 KB PDF) have both posted templates that you can borrow and modify.

Conclusion

Keep in mind that you shouldn’t spend weeks and months drafting these policies from scratch unless you work for a very large organization. Use templates and policies from other organizations to build the framework. Then identify anything that might be controversial or specific to your organization and bring those items to the attention of your colleagues. Also, your IT policies don’t need to be fixed, unalterable documents. Under ideal circumstances, they reflect an evolving, ongoing conversation between managers, IT staff, end users, and clients.