I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again.
Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” How can that possibly be productive in improving morale or reducing the propensity to engage in inappropriate behavior? If the institution wants employees to follow a certain line of action, then they must support them in making effective decisions. If the corporate counsel’s office doesn’t know what the law requires, then it makes no sense to demand that employees follow the law.
A second form of counterproductive policy is typified by words such as ‘may’, and ‘as required’. “…shall take the necessary actions.” is a thinly veiled way of saying “We know we are missing something important, so we reserve carte blanche to interefere with your life in the future.”
Recognize that there are an infinite number of bad things that could occur, and that policy can do very little about it. Concentrate instead on practical and specific requirements and clear lines of responsibility.
Treat policy as a communications mechanism to improve employee willingness and ability to protect the enterprise. Do not use policy as a way to dump your risk on somebody else’s lap.
Read Complimentary Relevant Research
Security Monitoring and Operations Primer for 2017
Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...
View Relevant Webinars
Surviving a Software Audit
Gartner clients continue to report increasingly frequent software license audits, resulting in undefended, unbudgeted and unmanaged costs....
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.