Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

All employees must obey the law!

by Jay Heiser  |  December 14, 2011  |  Comments Off

I review a lot of corporate security policy material, and it is the rare organization that doesn’t have an ITsec policy statement amounting to “all employees must obey the law.”  Well, yes.  I reviewed one today that managed to get this point across 4 times during the first page and a half, a remarkable achievment for a 2 page document.

Its easy to imagine where this nearly universal policy compunction comes from. In a legalistic society, the Simon Says Rule, and its inverse, trumps all other considerations.  When it comes time to fire someone, its just so much easier if they can’t use the Simon Didn’t Say Rule to claim “you didn’t tell me I wasn’t supposed to break the law.”  It is ironic that the legal field puts such emphasis on the reasonable man standard, given that so much of what happens in law defies common sense.  To loosely apply the reasonableness standard in this situation, would there not always be an expectation that a reasonable person would consciously obey the law?

Even worse is a policy statement such as  “all employees must obey all applicable laws.” What reasonable person could disagree with that?  I would.  That is tantamount to telling your employees “we will not tell you what specific laws you must follow as part of your job, let alone how to follow them, but if you do not, then we will punish you.”  If your own organizational lawyers can’t specifically state what individual legal responsibilities are, why should there be any expectation that non-lawyers will be able to do so?

Vague and unactionable policy, full of ambiguous legal language is a corporate cop out.  If you want your people to do the right thing, you must give them sufficient guidance such that they know what that thing is.  If you want people to avoid doing certain classes of act, then you must provide sufficient details such that they can reasonably know what they must not do. A policy requiring employees to “do everything we should have thought of but didn’t” is a weak policy that will have virtually no impact on reducing risk.

Comments Off

Category: IT Governance risk management security     Tags: , ,