Why do we need management’s support for information security? Doesn’t IT own information security? The technical side is important, but management’s role cannot be overlooked. Thornton states that management has to drive information security. Why does management need to drive this policy? The management team is legally responsible for any breaches that occur. Plus, senior management has a fiduciary responsibility to the company’s assets. Our management can provide the necessary resources, including finances and personnel, needed to implement policy. Senior management can provide clear direction when stakeholders disagree. Finally, when senior management places importance on information security, it creates a culture where employees recognize the importance as well.
So how do we get executive support for our information security initiatives? First we need to start the discussion with senior management. Our goal is to get their attention on the importance of good information security policy. We can do this by communicating the need for compliance, the consequences of noncompliance, and finally the company’s responsibilities to the customer. These are all factors meant to entice management’s support of our security policy.
Compliance issues that affect our corporation should be expressed to our management. These can arise from laws at the state, federal, and international level. The Sarbanes-Oxley ACT, the Electronic Fund Transfer Act (EFTA), Massachusetts 201 CMR 17, and the Fair and Accurate Credit Transaction Act (FACTA), are just some of these laws that require a well-supported information security policy. Regulations including the Payment Card Industry Data Security Standard (PCI DSS) or the Red Flags Rule can drive the need for compliance. Industry specific guidelines including the Federal Information Security Management Act (FISMA), the Health Insurance Portability Act (HIPAA), and Title 21 CFR part 11 Electronic Records also impact our compliance policies.
The fear of what noncompliance brings can also entice management’s support. At the very least noncompliance can damage a company’s reputation. Data breaches continue to haunt Target, Sony, and TJ Maxx to name a few. An effective information security policy can limit the damage to our reputation by laying out a course of action to take if a breach occurs. Poor security controls can also incur monetary damages through fines and remediation costs.