Thanks for stopping in for the next post from the Intreis Myth Busters! Last week we discussed why the attitude that “IT GRC is a necessary evil” could be harming your organization. Now we’re moving on to debunk “The ‘right’ policies and procedures will make us compliant”.
Having the right polices in place can be an easy win where compliance is concerned. However, policies can also put you on the express train to control failure.Train wreck
I have often grappled with Senior IT personnel when it comes to writing Information Security (IS) Policies. I’ve read and reviewed 100’s of IS policies in my day, and it never ceases to amaze me what people are willing to put in a policy.
And when I see something crazy, I’m not afraid to ask,” Is this an actual policy or is this your wish list.” Often the answer I get is, “Its best practice.”
There is no denying that certain things are best practice, but being intimately familiar with what’s required to monitor and enforce said best practice, I am immediately suspect when I see certain policy statements. And when I see one of these suspicious policy statements, nearly always there is one of two things happening: The company I’m advising has managed to pull something off that 95% of all other companies have not and cannot, OR It’s a wish, it’s not reality.
The top 10 questions to ask yourself before you call something a policy:
- How are you managing the communication and training on this policy?
- Has this communication and training reached its intended audience? How do you know?
- How are you managing the enforcement of this policy?
- What processes and procedures are in place to support the enforcement of the policy?
- How do you ensure people are complying? How do you test for compliance?
- What are the repercussions for not following the policy?
- If the policy has a direct impact on daily business operations, have you given the business a viable, alternative way to conduct their business that is within the stated policy?
- How do you handle exceptions to this policy?
- Assuming you can measure policy adherence and exceptions, do the number of exceptions out weight the number of people actually adhering to the policy?
- Is this a policy you’re prepared to enforce, or is this a best practice you wish to implement?
Remember
When auditors audit a policy, they are going to be asking similar questions and if you don’t have the right policy support mechanisms, you have failed before you even get started. While not having a policy will likely create a deficiency, the act of having the policy does not make you compliant, in fact a poorly written policy can actually create a deficiency where none existed.
If your goal is to move toward best practice, then put a plan in place that will support the implementation of that best practice. When you’re sure you have the requisite supporting mechanisms in place to support that best practice as a policy, then you can incorporate that best practice into a statement of policy.
That wraps up this week’s Compliance Myth. Don’t forget to check back in with us next week, when we’ll discuss why Outsourcing may not be your Compliance friend. As always, share with us the Compliance misconception you can’t stand, and we may include it in our series! Comment below or tweet us .
