As the Dec. 18 deadline fast approaches for many carriers and drivers to meet the electronic logging device (ELD) mandate, many companies are — or should be — using this time to review internal IT practices. The mandate will result in companies previously trying to avoid additional technology integration to adapt and adjust.
“IT is really changing the trucking industry,” said Mike Probert of Wasatch I.T. Prior to joining Wasatch I.T., Probert worked in-house with a large, local trucking company. Probert saw first-hand how increased technology integration makes the trucking industry “safer, more efficient and more honest.”
However, with the increase of technological dependence, Probert emphasizes the importance of proactively structuring or limiting technology usage in ways to best minimize potential vulnerabilities. Probert cites instances where drivers carried tablet devices with significantly limited functionality — often with only the ability to take and send photographs. “We disabled everything else,” Probert stated. “Not only did we limit functionality, but we had the ability to remotely lock down and erase all contents in case of loss.”
Internal or outsourced IT is only one component of a well-rounded IT plan. As the trucking and transportation industry employs many remote employees, the importance of implementing and enforcing solid IT security measures and procedures is essential. Companies must create, release and enforce a variety of policies to systemize and guide network and hardware usage. Although there are numerous potential policies to implement, the following are useful policies to consider adding or refining in any organization:
• Acceptable-Use Policy (AUP). This is also known as a fair-use policy and is an integral component of a company’s monitoring procedure. An AUP is designed by the owner of a network or website governing how the platform should and should not be used, explaining various monitoring strategies used to enforce such behaviors and the consequences for policy violations. One purpose of the AUP is to reduce legal liability by creating standards of behavior for employees using these platforms and providing notice to users of monitoring activities aimed to ensure adherence to the guidelines. It is here that a company can define what behaviors are unacceptable, such as excessive use of resources or time-wasting activities, distribution of confidential information, distribution of indecent or offensive data and other security measures surrounding virus transmission or dissemination.
• Internet Access Policy. This involves the use or restricted use of various websites by an employee. Internet usage should be reviewed as the Internet connects to various assets such as the company server. Further, an Internet Access Policy can be designed to support the AUP by blocking various sites that are not central to the nature of the employee’s position to aid in reducing various time-wasting activities.
• Email and Communications Policy. A good policy shapes the parameters of what is acceptable regarding email and other communications. This policy covers everything from professionalism to protecting the confidentiality of client and company information through such transmissions. This policy should establish any email template requirements, required response times to received communications, personal email usage and texting guidelines. An email and communications policy serves as a great opportunity to remind employees that despite the ease of email, communicating from a company email may be viewed by the receiver as an expression of intention or fact by the company and caution must be used to ensure the correct message is relayed.
• Network Security Policy. These rules seek to protect critical company assets by establishing security controls governing use of these assets. Although there may be a variety of classes in an organization requiring different levels of access to the network, the guidelines in a network security policy are generally applied consistently across an organization. A network security policy should address the level of access allowed, what devices may connect to the network remotely, how authentication will occur, maximum user idle time before network termination and the potential penalties for policy violation.
• Remote Access Policy. This governs the usage of the company network when the employee is accessing the network from a remote location. It is important to establish a remote access policy that integrates with the network security policy to govern the transmission of data over untrusted networks. A remote access policy should outline the rules for both remote users to ensure document and network security and outline the maintenance of the network to provide for a safer transmission of information. This upkeep should include a policy for continual, proactive review to ensure adequate protection, such as firewalls and security patches, are installed and current.
• Encryption Policy. A good policy seeks to protect a company’s digital assets (data, files, personal information, company resources, etc.) from theft or breach between communicating devices over the Internet. Many believe a strong encryption policy is a must-have for all mobile devices. It is important to clearly define the devices covered and keep the policy up to date. This policy should cover all email and attachments, files, external devices, mobile devices and recovery and backup in case of an emergency.
• Bring Your Own Device (BYOD) Policy. A BYOD policy covers the requirements governing employee’s personal devices being used for on-the-job purposes. BYOD is often viewed as beneficial to employees as it allows for greater device and platform familiarity than may exist with company-issued devices. However, companies must strive to ensure such devices are accessing sensitive company information in ways to avoid unauthorized dissemination of information or the introduction of vulnerabilities entering the network. It is imperative that companies use the BYOD policy to establish password protection measures, automatic lockout requirements, anti-virus and encryption requirements, synchronization prohibitions and rights held by the company to review the device to ensure compliance.
As many of these policies are interrelated. It is important to create a comprehensive IT security structure that integrates the various policies. While there are a variety of policies that that may be applicable to assist in the protection of a company and network, this is by no means a comprehensive list or to serve as legal advice. This article merely seeks to help plan by providing a basic understanding of the importance and purpose of various polices to equip business owners with a basic understanding to begin or refine these policies.
Bahar Sharifan is president of Wasatch I.T., a Utah provider of outsourced IT services for small and medium-sized businesses.