Policy compliance within the information security space can be an exhausting concept to wrap our heads around. Writing a policy document, publishing it to staff and then staying hands-on to ensure it is followed in perpetuity is easily seen as an arduous, if not an impossible, task.

Policies set the basis for every successful information security initiative. As governance is about setting direction for the business, policies are how we provide centralized management for the expectations of the organization. Without policy, it is difficult for a business as a whole to adhere to specific regulations or to be protected from security gaps.

Though obtaining policy compliance can be interpreted as a daunting endeavor, this function is the foundation of all successful information security programs. Four components are necessary to ensure that your policy is implemented successfully throughout your business: transparency, alignment, sponsorship and accountability. Simple is the name of the game here. Utilizing these four components are intended to make the policy compliance process much easier and more straightforward.

Be clear with communication

Why are you asking your colleagues to review and acknowledge yet another policy document? Though it may be clear to us as information security professionals, we need to be sure that we communicate the purpose of this new policy when requesting that staff review and acknowledge it. Being explicit removes a barrier to compliance because it allows those within the organization to fully understand the intent of the policy and their subsequent responsibility to it. As policy executors, it is our duty to clearly communicate the reason for the policy to our fellow staff and to be fully transparent on why it is being implemented within the organization. Don’t forget to keep your purpose explanation simple and to the point!

Get buy in early from leadership

Be (Read more...)