Any organization should establish policies for the appropriate use of e-mail, instant messaging, peer-to-peer file-sharing systems and other corporate assets, for a variety of reasons. Employees need to know what is considered acceptable use of these tools, the employer’s liability for inappropriate content leaving the organization needs to be reduced, and so forth. In most organizations, the IT department is charged with managing these policies.

However, in a large messaging security survey we recently completed, we found that a significant number of IT managers would like some help from the rest of the organization in managing policies.

For example, we asked IT/messaging decision-makers if C-level line-of-business managers should be more involved in managing policies for confidential information and regulatory compliance in their organizations; 57% of respondents agreed or strongly agreed that they should be more involved. Similarly, we asked these messaging decision-makers if their IT group would like to deploy technology that could help them engage other parts of the organization in policy creation and enforcement; 50% agreed or strongly agreed that they would like to do this. Nearly as many would like a way to enable other parts of the organization to manage the enforcement of policies for acceptable use and regulatory compliance.

The message here is reasonably clear: a large percentage of IT decision-makers charged with managing messaging systems would like some help in managing policies. In large part, this is due to the fact that many of the policies in place in an organization really don’t directly affect IT.

For example, while consumer IM use in an organization could create problems for IT in the context of introducing viruses or other malware brought into the network, much of the concern with IM focuses on the productivity issues that line-of-business managers are concerned about if their employees are chatting with friends and family while at work.

In short, policy creation and enforcement is everyone’s job, not just IT’s. I’d like to get your thoughts about this, whether you’re in IT charged with managing policies or in a non-technical role and need to implement these policies. Please drop me a line at mailto:michael@ostermanresearch.com

Michael Osterman is principal analyst of Osterman Research.