On January 18th, Jon Stewart of The Daily Show teased U.S Representative Mel Watt for failing to understand a bill that he was trying to pass.
The House Subcommittee on Intellectual Property, Competition and the Internet was deliberating on the now infamous SOPA bill that, while being designed to limit media piracy on the Internet, was over-reaching. What was particularly funny to Stewart was that Watt and his colleagues said, several times, that they needed to consult the “nerds” to find out how the Internet worked, and thus how the law would work. The reason the Internet bill was over-reaching, it turns out, was because Watt and his fellow Congress members had no idea how the Internet worked.
Sorry to break down a joke like that, but I have a point.
Information security, like Internet laws, can only work if organizations take an interdisciplinary approach to compliance requirements. But business managers are commonly asking their IT managers to take on information compliance as their sole responsibility.
Here are three major flaws with this approach:
Flaw 1: Laws and regulations like HIPAA, CMR 17.00, Gramm Leach Bliley and EU Safe Harbor are not particularly IT issues. They have specific non-IT requirements that must be owned by the appropriate management.
Flaw 2: Information security laws and regulations are regulating information, not technology. But IT does not own the information! They administer it, they make it efficient, they can help make it safe, they may even design strategic processes for information. But they do not own the information! Therefore, they cannot enforce rules for using it.
Flaw 3: IT staff are as good at interpreting legal documents as sales people are. And administration support. And carpenters. Or bakers. In fact, I can only think of . . . oh . . . attorneys who would be good at interpreting laws. I’ll ask IT to take charge of compliance the day I ask my dentist to submit my income forms.
Information compliance laws and regulations require attention by management who have responsibilities for information . . . not only information technology.
So how should you get to compliance? Develop a team of managers who have information responsibilities, gather authoritative guidance for interpreting laws, and create a road map (gap assessments and risk assessments are critical!) to move toward compliance.
These managers, including IT, should be assigning controls to their team members that align with detailed requirements that come from laws regulations and even contracts. And those controls should be prioritized by the compliance team because you share resources (like budgets, time, and people).
If you assign sole responsibility to IT for anything that is not IT, make it party planning, or lunch ordering, or first choice in the Book Club. Compliance is something you will all need to do together.