Global Security, Privacy, & Risk Management

“Tell me, Show me, Convince me”; Policies, Enforcement, and Auditing August 7, 2012

I was speaking with a client yesterday about policies and auditing.  He asked me a question and it reminded me of what I told my clients for years regarding policies.  First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management.  Simply having a written document does not mean you have a policy.  The policy must be approved, documented, disseminated, and enforced.  Second, it is important to remember that writing and approving a policy is the easy part.  Ensuring adherence with the policy  and enforcing the policy is the difficult part.  Make no mistake.  A policy that is not enforced will not be followed for very long.  People are inherently lazy (this writer included).  We take the path of least resistance.  Policies require difficult, often inefficient methods.  Without enforcement, they will fall by the wayside.  Third;writting, approving and documenting a policy is often much easier than implementing the policy.  Consider the following example.  Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model).  This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities.  Then each role would need to have access levels documented and assigned.  As you can see, a simple one line policy statement may have deep implications.  Finally, it is important to ensure that your company adheres to the documented policies.  This is a three step process I describe as “tell me, show me, convince me”

1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.

2) demonstrate to the auditor that you are currently in compliance with the policy.

3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).

By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.