Legal IT documents [closed]

I have been wondering this past week because my big boss told me to start keeping track of all the things I have fixed, how to fix them, etc. Which is reasonable and have been doing anyway. But then a related question came to mind. What kind of documentation should I have on hand as far as users go. More specifically I am talking in terms of EULA, ToC, etc (correct me please if I'm using the wrong terms) Or more specifically a policy, so to speak, for the users and such. Can't say I'm a legal expert, otherwise I'd be a lawyer. The environment the users are in is pretty laid back so I don't forsee a problem. But assume that there should ever arise a problem, what should I have written up/have on hand?

EDIT: I really should have noted that we are a medical transport facility and have patient records so I know that something must be done there to comply with HIPAA policies I believe. I do like what anthonysomerset said about the "If I get by a bus" Scenario and want to apply it not only to the documentation I am currently writing but also for if say an employee were to steal info from the server or edge cases, theft, etc. As far as our staff, its relatively small as in a single HR person, no legal department aside from the 2 owners' lawyers and me being the only IT person on staff with a guy who is no more than a mac superuser.


Solution 1:

You should work with your boss/HR people to have a series of written policies, adopted by the supervisors, that outline how various issues are handled and what is expected of employees. These can vary depending on the business, but basically you would have documents that specify what is and isn't allowed on your network and computer systems and what the followup (how remediation is handled, what can lead to termination, etc.) actions are. Then your employees are given the material as part of an employee handbook or memo, possibly to sign and keep on file.

Come up with scenarios that you would have to deal with in terms of acceptable use on the computer systems and then talk to your boss about it; unless you have the authority to fire someone you should work on the language of the policies with other heads-of-departments or supervisors. If you have a legal department you will want it run through them as well to make sure you're not stepping on legal issues involving privacy or termination in your area.

Ideally your business already has some employee handbooks or materials that employees have to be aware of and prop their desks up with, so there could be some idea of a template in there to work from for you.

Solution 2:

Our office just went through this. However we have to comply with HIPAA. We took a framework for our IT standards from an online version, and fleshed it out. I personally wrote a vast majority of the policies. As @Bart Silverstrim said you will need to work with your HR person. We were a two person team for our standards doc.

It isn't easy. Just go slowly and methodically. Start with your day to day routine, and jot that down in a bulleted list. There is a whole list of ideas just a sample of ours

  • Classification of data
  • Risk Analysis management
  • Ids and Accounts
  • personnel security
  • Change control/audit log
  • Hardware and software
  • BC/DR (every company should have this regardless)

There is much much more, it all depends on how far you want to go.

We have these standards(rules) in place to cover ourselves in case someone breaks HIPAA. So we can say "hey, we have these rules, and the broke them".

This is the framework that we used. It may or may not work for you also.