Does IT policy apply to the Board of Directors? What policies do apply?

Question

What is your experience with applying IT policy to the Board of Directors?

Please mention the country and industry you have experience in, since the advice you're sharing may or may not be the same across all industries.

[Edit]

It isn't uncommon for a single Board Member to be involved in more than one board/company. If this is the case, it's entirely possible that that individual may have conflicting IT policies in place if they were both applied to the same machine. How does this ultimately impact the way they do business?

Answer 1

I work in healthcare and write the IT policies (among other things). All of my policies are reviewed by the corporate compliance team and others before being finalized. Once a policy is approved the first people I hold to the policy are the ones who asked for it or helped write it.

My thinking is that the people who helped create the policy should be the ones who have to deal with it first so that they know whether it works. When I changed the password complexity requirements our CEO needed to get information off of his PC for a meeting. Rather than accept a temporary exemption from the password policy change he insisted on being held to the same standard as everyone else.

If someone on our board is using a system connected to our network they can either use the guest wireless or they can abide by the policies. All of the policies I write have an exception clause, but the exception must be in writing and reviewed. All exceptions are sent to the compliance auditor within 30 days of the exception and annually the full list is sent. Any exception expires no more than a year from the exception to force a review.

I'm okay with there being reason able exceptions, as long as it is documented and necessary. When that happens I just require a compensating control to be demonstrated.

Answer 2

Every single person in the organization must abide by the policies. With that being said, since they are in charge they are within their right to make a change to the policies.

They should be sold on the policies so they don't change them. IT is doing it to protect the Board's investment.

EDIT: with regard to conflicting policies across orgs, I say the same policies apply. How would you handle an outside contractors laptop?

Answer 3

Agree with Steve - however a common source of non-compliance is director or board level. These individuals often want the latest technology, or want more freedom or flexibility than their staff, and are in a position of power so can demand it, so sometimes the Information Security team need to proactively identify solutions to upcoming technology issues in order to provide a secure solution by exception in these cases.

Where senior/executive management are utterly bought in to security policies, an organisation is typically more robust and governance and compliance are more easily demonstrated, but in the more usual business organisation the aim is to make compromises which allowm to enable business while not impacting security too much.

In my experience this doesn't vary that much between countries in Europe, America or the Middle East, or across industries. The point being that individuals in senior positions want to do business their way, and usually their way is considered right for the business if they make revenues and that is where we as Information Security professionals come in.

The circumstance where an individual sits on more than one board is a major problem. The security ideal is obviously to completely segregate each role, however getting a director to carry round multiple laptops is unlikely. What typically happens is they use one account and manage all emails and accesses from one machine - and you end up relying on them not making a mistake.

Dangerous!

Segregation by virtual machine would seem to be a logical next step, but I have only ever seen this once. This can be secured to a high level, but requires a certain amount of communication between organisations to agree the configs etc.

Answer 4

If you're lucky enough to operate in a jurisdiction where directors would be personally liable for knowingly violating the protections in place, you can just wave that piece of law at them until they realise they had better comply with the policy.

Answer 5

A board member should never deviate from the companies policy where the policy applies to them. The policy should be clear on what applies to whom and what the consequences for violation are. Policies can have contradictory elements where "allowed vs not-allowed" depends on ones position and responsibilities. The board should be prepared to justify the policy to whomever they answer to. Shareholders, Regulatory Agencies, etc.

Where policy is concerned the one position you don't want to find yourself in is where you knowingly allow/aid users in circumventing the policy. If you have to have exceptions document them. Better yet make them part of the policy. If the board isn't comfortable documenting an exception and still insists on being the exception go polish your resume.

A board member shouldn't be any different from any other employee with regards to following the rules. But it is up to the board, barring any legal restriction, to decide if a different set of rules should apply to them.

It is the board member's responsibility to understand what is required of them. If they are placed in position of conflict they should reach out to both entities and try to reach a compromise. From a technical point of view the easiest solution would be complete segregation of resources, ie two separate machines. Obviously this isn't the most usable solution. I would try to shoot for giving them remote access to an internal machine that as limited access to just what they need to do their job. I am not a big fan of giving them email access where they can work with documents from their personal machine. No matter what you do be sure it is documented and you are doing what your policy states you are doing.