Skip to the main content.

4 min read

6 Important IT Policies Every Idaho Business Should Have in Writing

6 Important IT Policies Every Idaho Business Should Have in Writing
7:35

Most businesses in the Treasure Valley and East Idaho run on handshake rules when it comes to technology. Employees figure out what's expected over time, problems get handled as they come up, and nobody's written anything down. It works — until it doesn't.

The consequences of undocumented IT policies have gotten more concrete in recent years. Cyber insurance carriers now ask directly about documented controls at renewal time. CMMC requires written policies for defense contractors pursuing DoD work. And when a breach happens, the first thing your insurer and your attorney want to see is what your policies said.

Beyond compliance, written policies protect you operationally. When an employee leaves, you need a policy that governs offboarding. When someone connects a personal device to your network, you need a policy that covers it. When an AI tool generates a customer-facing document with wrong information, you need a policy that establishes who's responsible.

Here are the six your business should have in place.

1. Acceptable Use Policy

This is the foundation — a document that defines how company technology (computers, email, network, software) may and may not be used. Without it, employees are guessing, and you have no documented basis for enforcement if something goes wrong.

What it should cover: appropriate use of company devices and accounts, restrictions on installing unauthorized software, expectations around personal use during work hours, and what happens to company data on employee devices. It should also address use of company systems for outside business activities — a gap that creates liability exposure if not addressed explicitly.

For manufacturers and engineering firms, the AUP should also address shop floor systems, industrial workstations, and any equipment connected to both your IT and OT networks.

2. Password and MFA Policy

Compromised credentials remain one of the top causes of breaches. A password policy without MFA requirements is incomplete — documenting password length and complexity matters less than ensuring every user accessing email, VPN, cloud applications, and your ERP has a second factor required.

What it should cover: minimum password requirements, prohibition on password reuse across accounts, required use of MFA for all business-critical systems, use of a password manager, and how to handle shared credentials for systems that don't support individual accounts (a common issue in manufacturing environments).

Cyber insurance carriers specifically ask about MFA at renewal. If your policy doesn't mandate it, you may be uninsurable or paying a higher premium than necessary.

3. Remote Access Policy

The old Wi-Fi use policy — "don't log in on public Wi-Fi" — has been replaced by a more complex reality. Remote work, vendor remote access, field staff, and multi-site operations all create remote access scenarios that need explicit rules.

What it should cover: who is authorized for remote access, what tools are approved (VPN, remote desktop, etc.), requirements for the device being used (patched OS, endpoint protection), restrictions on what systems can be accessed remotely, and — critically — rules for third-party vendors who have remote access to your systems.

Vendor remote access is a particularly important section for manufacturers. If a machine vendor, ERP provider, or IT contractor has standing remote access to your systems and their credentials are compromised, your network is compromised. Your policy should require time-limited, logged access for all third parties.

4. BYOD Policy

If employees use personal phones or devices for work — checking email, accessing shared drives, using business apps — you need a BYOD policy. Without one, company data lives on personal devices you have no visibility into or control over.

What it should cover: which personal devices are permitted for work use, required security settings (screen lock, OS updates, encryption), what business applications may be installed on personal devices, what happens to company data on a personal device when an employee leaves, and whether the company will compensate for business use of personal devices.

For manufacturing environments, the BYOD policy should also address personal phones near production systems, CNC machines, or areas where photography could expose proprietary processes or controlled information.

5. AI Use Policy

This is the policy most Idaho businesses don't have yet — and the one they need most urgently. Employees are already using AI tools on their own: drafting emails in ChatGPT, summarizing documents in Copilot, generating reports with various tools. Without a policy, you have no visibility and no guardrails.

The risks are real: confidential business data entered into a public AI tool may be used to train future models. AI-generated content presented as authoritative can be factually wrong. Customer-facing documents drafted by AI and not reviewed by a human can create liability. For defense contractors, entering CUI into any non-approved system is a CMMC violation.

What it should cover: which AI tools are approved for business use, what categories of data may never be entered into AI systems (customer data, financial records, CUI, IP), requirements for human review before AI-generated content is used externally, and a process for employees to request approval of new AI tools.

6. Incident Response Policy

This is the one most businesses are missing entirely, and it's the one that matters most when something actually goes wrong.

An incident response policy documents what happens in the first hours of a security event: who gets called, in what order, what systems get isolated, what gets preserved for forensics, who has authority to make decisions, and what your notification obligations are. Without it, those decisions get made under pressure by people who aren't sure what they're supposed to do — and mistakes made in the first hour of a breach are hard to undo.

What it should cover: what constitutes a reportable incident, the incident response chain of command, immediate containment steps (isolate vs. shut down — these are different decisions), evidence preservation requirements, communication protocols (internal and external), and breach notification obligations for your industry (HIPAA timelines for healthcare, notification requirements under Idaho's breach notification law).

Cyber insurance carriers want to see a documented incident response plan. Having one also reduces your response time when something happens, which directly reduces the damage.

Policies are only useful if they're enforced

Written policies need to be signed by employees, reviewed annually, and updated when your technology changes. A policy that was written in 2021 may not reflect your current cloud environment, your current remote access setup, or any AI tools your team is now using.

If you're not sure where your current policy documentation stands, or if you're preparing for cyber insurance renewal or CMMC assessment, TotalCare IT works with businesses in Boise, Idaho Falls, and throughout the Treasure Valley and East Idaho to review and build out IT policy frameworks. Our Technology Alignment and Compliance services both include policy documentation review as part of the engagement.

Understanding Insider Threats in Cybersecurity and Their Impact

1 min read

Understanding Insider Threats in Cybersecurity and Their Impact

When most people think about cybersecurity threats, they imagine hackers sitting behind screens in far-away places. While those threats are real,...

Read More
Why Data Breach Lawsuits Are Exploding in the U.S. And How Businesses End Up Involved (Even When They Didn’t Get Hacked)

1 min read

Why Data Breach Lawsuits Are Exploding in the U.S. And How Businesses End Up Involved (Even When They Didn’t Get Hacked)

If you think data breaches end with a press release and a free year of credit monitoring, we have some bad news.

Read More
How Much Does A Managed IT Security Program Cost in Idaho?

1 min read

How Much Does A Managed IT Security Program Cost in Idaho?

I previously wrote an article titled "How Much Does IT Support In Idaho Cost?" In the article, I explain how services are priced in the Managed...

Read More