Ethics and Compliance Programs: What It Means to Comply
The Network's Ralph Childs answers readers' questions about compliance, ethics and best practices for educating management and employees.
May 01, 2005 — CSO — Childs founded The Network in Atlanta in 1982. A former FBI special agent, he was running a security consulting firm and realized that his clients needed help with core issues such as employee theft. Childs is a member of ASIS International and the Society of Former Special Agents of the FBI. He is also an associate member of the Association of Certified Fraud Examiners.
A: The biggest change is that compliance has been transformed from a good idea to a mandate. In the wake of devastating corporate scandals, governance has taken center stage. Publicly traded companies have been forced to protect investors from fraud or face stiff penalties. For example, executives found guilty of retaliation against a whistleblower under Sarbanes-Oxley face substantial fines and up to 10 years in prison.
Many private organizations are adopting practices similar to those required for public companies. Certain industries, notably higher education, have been proactively adopting best practices surrounding workplace ethics.
The increased focus on ethical behavior offers security professionals an opportunity to improve detection and prevention of many illegal and unethical activities. Given the spectrum of issues facing any organization, it makes sense to train all employees about ethics.
A: Security is a critical team member in helping an organization develop processes that will not only assist with compliance but will also minimize risk. Security professionals offer knowledge and expertise that should be influencing employee communication and training regarding illegal and unethical behavior.
A: Every organization faces risk from many angles. Traditionally security has attempted to prevent and detect some of the most damaging activities, while compliance managed and documented employee awareness of behaviors outlined in the code of conduct. Introducing compliance as a factor in areas like insider trading and illegal loans to executives has blurred the lines. Issues that were traditionally seen as security-related and those that were viewed as compliance-related are now often the same issues. Ideally compliance and security are working hand in hand to develop strong processes and communication that help the organization to both comply with regulations and stop the cycle of unethical behavior.
A: When communicating with a decentralized management team, you should be thinking in terms of both education and documentation. You need to develop communication tools that describe the behaviors that are encouraged as well as those behaviors that are not condoned. Information should be disseminated to all employees through a variety of venues and tools, such as in town hall meetings and on intranet sites.
When dealing with a dispersed employee population, using the Internet for training is highly efficient. Interactive flash training modules can be used to inform employees about your company's ethics initiatives. To employ the interactive element, include a short quiz to test management's knowledge of the information.
Whatever training tools you use, you need to document receipt and understanding by managers. Some organizations are seeking documentation from all employees, which may not be feasible for your organization. This documentation can be compiled by having managers visit an intranet site or call a toll-free number to respond to questions. This documentation is a valuable step. It proves the activities the organization implemented to comply with sentencing guidelines.
Read more about compliance in CSOonline's Compliance section.
How do you write effective security policies and then ensure that employees are in compliance? Here is practical advice from the experts.
Sample security policies and templates
A directory of security-related regulations, laws, and guidelines
How to write an information security policy
Building a culture of preparedness
Cultural aspects of security policy and messaging
5 security missteps in the name of compliance
- McAfee Continuous Compliance
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
