Managing Information Security Violations

By Henry Bagdasarian

Managing information security violations is an important part of a comprehensive information security program. Violations may be committed by employees either accidentally, or, knowingly despite having the knowledge about the policy’s disciplinary actions for policy violations.

Despite having information security policies and training, some employees may still violate the established policies and protocols on purpose for their personal gain even if they realize that their actions may place their company at risk.

Often, employees know that their actions might affect their company but could care less if they are not personally affected.

Policies can be waived in certain circumstances and for some people, but, the exceptions must be approved, documented, and transparent. The transparency aspect of policy deviation process is very important because employees may feel that some employees are more favored than others which can lead to anger and revolt.

Justification for Information Security Violations

Many groups and individuals may violate the information security policies for a variety of reasons. Below is a sample list of groups that may resort to policy violations for personal gains and the rationale behind their thinking:

• The Sales team in general prefers to sign a contract and close the deal quickly while pushing lawyers, the company’s information security officer, and others to finalize the contracts as soon as possible. They may be willing to make excessive promises to customers regarding future security deliverables set forth in the contracts to make the sale and collect the sales bonuses.
• Business operations employees may decide to send unencrypted confidential files to others because it’s faster than to request an encryption mechanism from Information Technology.
• Information Technology management and application owners may decide that it’s too much effort and inconvenient to facilitate a security audit or to modify the application code to strengthen the security of the system in accordance with the company's standards.  
• Average computer users may leave their computers unlocked and unattended to avoid having to login again when they return from their short coffee or restroom break.

As you can see, many within organizations have no vested interest in information security and some care even less about information security because they have support at the highest levels of the organization who approve their actions. But the problem is that the executive management team also has a business objective and they are vulnerable to  the future risks presented by unjustified and unapproved policy deviations such as lawsuits, fines, and even imprisonment.

Managing Information Security Violations Process

Below are some of the solutions I propose for managing information security violations: 

• Establish an information security leadership council comprised of key senior and executive management members. This group should be tasked with security oversight and making decisions on key information security matters.
• Designate and empower a Chief Information Security Officer who reports to the security council or acts as its chairperson.
• Establish a formal and documented override approval process in case some deviation may be needed from the established security protocols. This process must be educated, collective, transparent, and documented.
• Have the Human Resources group create disciplinary actions for dealing with those employees who deviate from the information security protocols without proper approvals from the information security leadership council.

Items to consider when establishing a process for managing the information security violations:

1. How can someone request a deviation from the policy? Form, timing, etc.
2. In what circumstances can they request the waiver? Rational behind the waiver.
3. What is the scope of the waiver? Who is affected and how.
4. Who should approve the deviation request?

Visit Identity Management Institute for training on managing information security violations.