Granted, some IT professionals will accept this approach because it grants them more power and reduces oversight of their work. After all, dealing with a disinterested, nontechnical boss is neither fun nor effective. The best-run organizations have managers who understand their important role in compliance.
In my work, here are six things I believe senior management and business owners must understand if their companies are to be compliant with the required standards, laws, and regulations.
1. Compliance is not a homework assignment--it is how your organization operates every day.
Sure, you may pass an audit on occasion, but audits are not a check of how you did today. The audits are a look at how you operate day in and day out: what is the process, how is it managed, how is it tracked, and how can you improve it?
2. Management has responsibilities that cannot be delegated.
For example, it should never be the IT staff's responsibility to decide how long to keep archived emails. That is a legal decision that should be defined in management's policy, managed by IT processes, and verified by either management or someone who is not in IT.
3. Systems are not compliant--organizations are compliant.
Computer systems do not operate in a vacuum. They are tools for employees. Companies are about people who use tools to do something. Compliance is about how something works, not just the tools.
4. Employees and business processes are typically a much bigger problem for compliance and security than computer systems.
Study after study has found that many more problems result from sloppy processes and employee behavior than from network breaches and hacking.
The effort to achieve and maintain compliance with Sarbanes-Oxley requirements remains one of the primary drivers behind many IT security initiatives. In our Security Via SOX Compliance report, we share 10 best practices to meet SOX security-related requirements and help ensure you'll pass your next compliance audit. (Free registration required.)