Should you allow exceptions to an information security policy ?

Once upon a time when information security did not figure in the priorities of the IT Head (the era before the CIO title came into vogue), the company took upon itself to protect sensitive information that if leaked would be detrimental to the image and reputation. The internet was beginning to spread its wings reaching out to residential customers, the browser wars had just begun, electronic commerce was yet to reach irrational valuations, and information leakage or protection was not on the radar of many enterprises.

There were no USB connectors or drives, internet connections were rationed and capacity low, email the primary mode of information dissemination apart from paper. Separation of Information Security & Risk into an independent entity was a big pioneering step forward. The new team started with creation of dos and don’ts for users that culminated into a set of policies. In a hierarchical world moving up the ladder, the stringent policies became liberal as you look upwards for the convenience of senior executives.

Then came the noise and requests for exceptions citing business need and impact with the newly imposed controls; function heads authorized the leniency thereby rendering policies significantly compromised in intent and execution. New threats that were perceived to be largely external were intercepted and addressed, internal exceptions however stayed and continued to grow. Companies worked on an acceptable risk internally and with high levels of trust with senior executives to guard the family jewels.

Fast forward to the current world of heightened awareness and impact from information leakage and cyber threats, is the scenario any different ? Sampling across companies in a cross section of size, industries and geographies indicate that the information security function now exists in a majority of enterprises, reporting into the CIO who has also taken on the mantle to protect the information assets. High maturity and regulated companies have given security independent charge to the CISO accountable to the CEO/Board.

Policies have become stringent, implementation rigor higher and with the availability of a plethora of tools, the ability to monitor better. The industry has continued to disrupt available solutions with newer, faster, better, cheaper, painting a scarier picture forcing adoption driven by FUD. Social engineering has evolved to new levels with multitude of avenues reaching out to the gullible and the stupid who are willing to give away everything including personal records that compromise corporate and individual assets.

Most policies are cookie cutter approaches with standard templates from the consulting companies with some variance by industry; many of them have statements that put at risk the enterprise and the policy itself. The implementation too is outsourced to IT companies who provide out of the box solutions at times with no alignment to industry specifics. Compliance continues to drive policy creation and intent: to pass the statutory audit, to ensure that customer audits do not show non-compliance, to help justify budgets for information security.

Leaving aside an exceptional case of incompetency at the senior management level within an enterprise, today the awareness and intent to protect information assets of the company is genuine enough to put pressure on IT and Information Security professionals. Auditors and regulators have also gained adequate expertise to go beyond the superficial reports, dashboards or compliance statements. They are better equipped and have raised the bar for owners, entrepreneurs, management and the Board.

ISO and other standards based practices and certifications are mainstream, the cost of information leaks can now be measured in fiscal terms; wordsmithing to crisply document and disseminate the policies with no room for ambiguity or misinterpretation has become the baseline expectation. No exception is the new rule; need to deviate ? Change the policy instead, create grades and boundaries for execution. It makes life so much easier rather than to explain why an exception was granted and how was it managed.

Staying compliant is mandatory, protecting information is necessary, educating stakeholders is a starting point; take steps before a crisis emerges. Make sure policies are easily understood in intent and execution; have employees sign off acceptable use policies that define the boundaries; reinforce with frequent communication; assess, audit and publish results irrespective of status, success or opportunities to improve; stay connected to innovators and peers in the industry to benchmark your effort and stay safe.

But whatever you do or don’t, please don’t create exceptions to any policy !