Managing Information Security Violations
By Henry Bagdasarian
Managing information security violations is an important part of
a comprehensive information security program. Violations may be committed by
employees either accidentally, or, knowingly despite having the knowledge about
the policy’s disciplinary actions for policy violations.
Despite having information security policies and training, some employees
may still violate the established policies and protocols on purpose for their
personal gain even if they realize that their actions may place their company
Often, employees know that their actions might affect their
company but could care less if they are not personally affected.
Policies can be waived in certain circumstances and for some
people, but, the exceptions must be approved, documented, and transparent. The transparency
aspect of policy deviation process is very important because employees may feel that some employees are more favored than others which
can lead to anger and revolt.
Justification for Information Security Violations
Many groups and individuals may
violate the information security policies for a variety of reasons. Below is a sample
list of groups that may resort to policy violations for personal gains and the rationale
behind their thinking:
Sales team in general prefers to sign a contract and close the deal quickly
while pushing lawyers, the company’s information security officer, and others
to finalize the contracts as soon as possible. They may be willing to make
excessive promises to customers regarding future security deliverables set
forth in the contracts to make the sale and collect the sales bonuses.
operations employees may decide to send unencrypted confidential files to
others because it’s faster than to request an encryption mechanism from
Technology management and application owners may decide that it’s too much
effort and inconvenient to facilitate a security audit or to modify the
application code to strengthen the security of the system in accordance with
the company's standards.
computer users may leave their computers unlocked and unattended to avoid
having to login again when they return from their short coffee or restroom
As you can see, many within organizations have no vested
interest in information security and some care even less about information
security because they have support at the highest levels of the organization who
approve their actions. But the problem is that the executive management team
also has a business objective and they are vulnerable to the future risks
presented by unjustified and unapproved policy deviations such as lawsuits,
fines, and even imprisonment.
Managing Information Security Violations Process
Below are some of the solutions I propose for managing information security violations:
an information security leadership council comprised of key senior and executive
management members. This group should be tasked with security oversight and
making decisions on key information security matters.
and empower a Chief Information Security Officer who reports to the security council or acts as its chairperson.
a formal and documented override approval process in case some deviation may be
needed from the established security protocols. This process must be educated, collective,
transparent, and documented.
the Human Resources group create disciplinary actions for dealing with those
employees who deviate from the information security protocols without
proper approvals from the information security leadership council.
Items to consider when establishing a process for managing the information security violations:
- How can someone request a deviation from the policy? Form,
- In what circumstances can they request the waiver? Rational behind the waiver.
- What is the scope of the waiver? Who is affected and how.
- Who should approve the deviation request?
Visit Identity Management Institute for training on managing information security violations.