Tip

How to build a corporate culture of policy compliance

Perhaps more than any other society, American culture looks up to and honors the rebel, the independent thinker and the successful deviant. Where else would hackers, who go to jail repeatedly for their crimes, be the celebrated cause for a counter-culture movement?

In a culture such as this, compliance with laws, regulations, policies or any other rules coming from the establishment look to many people boring and deadening. In the eyes of some, the person who complies has sold out, has been defeated by the system. It is into this larger societal conversation that we information security practitioners are sending our training and awareness messages, and it is no surprise that non-compliance has been, and continues to be, rampant.

While all information security professionals will no doubt acknowledge that their organizations have compliance problems, few have investigated the specific ways that their organization's corporate culture actually fosters non-compliance. How an organization approaches rules, approaches compliance and checks on compliance will have a profound impact on the success or failure of an information security effort. Unfortunately, culture-shifting efforts are most often not an official part of the Information Security Department's budget.


MORE INFORMATION ON POLICY COMPLIANCE:
  • Read this tip, also by Charles Cresson Wood, on how

    Requires Free Membership to View


To help build a corporate culture that is truly supportive of compliance, I suggest three important endeavors:

  • First of these is an awareness and training program that speaks directly to the merits of being in compliance with laws, regulations, policies, standards and other rules. Too many training and awareness efforts assume that the recipients of information security material are on board with the notion of compliance, that they only want the details of how to come into compliance.

  • Second amongst these is the clarification of roles and responsibilities when it comes to information security. We need to be very specific about accountability. We need to follow up via performance reviews, internal audits, automatic vulnerability identification software and other checking mechanisms, in order to make sure that people are delivering in a manner consistent with assigned roles and responsibilities. This means that job descriptions need to explicitly include information security tasks. These tasks need to appear not only in the job descriptions of technical specialists, but also managers and end users.

  • The third of these suggestions for establishing a corporate culture conducive to compliance involves the funding for compliance-checking jobs (be these people internal employees, consultants, contractors, whatever). The Information Security Department in general should not be tasked with this compliance checking because it would be a conflict of interest. It is the Information Security Department's role to develop draft rules, and to develop a consensus around these draft rules. It should not be the Information Security Department's job to check its own work. This checking should instead be done by an Internal Audit Department, a compliance group in the Legal Department, a Chief Privacy Officer (generally also in the Legal Department), external auditors and/or others.

Only when management truly sees the need to establish a corporate culture of compliance, when they have actually communicated that message to the rank-and-file, when they have begun to hold people accountable for results and when they provide funding for compliance- checking can we expect to see the beginnings of a corporate culture conducive to compliance with information security rules.

About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of Information Security Policies Made Easy. You can reach him at ccwood@ix.netcom.com.


This was first published in June 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.