Operational efficiency means lower costs to the business. By applying this principle across the enterprise, greater quality results can be achieved at a lower cost. For organizations with multiple divisions, developing processes once and repeating them saves time and resources. This approach also allows the organization to develop centers of excellence. These centers are typically small teams with very deep knowledge of a subject area.

An enterprise view allows senior leaders to understand how risk affects the entire organization. Someone with an enterprise view can see past the individual part to the entire structure. Such a person can see the forest and not just the trees. A single tree or group of trees might have root rot; however, the overall health of the forest may be good. This means you have a problem, but it is localized. Conversely, individual process failures may seem insignificant, but collectively they may indicate a systemic problem.

This is particularly important when it comes to security policies. Leadership needs a high level of certainty that there is operational consistency in how information is protected. Leadership is often asked by regulators to attest to security controls. For example, the chief information officer (CIO) under the Sarbanes-Oxley (SOX) Act is required to describe IT security controls goals. Many CIOs point to their company’s enforced security policies.

To achieve this repeatable behavior, you must measure both consistency and quality. Additionally, you will need to measure whether the implemented policy is achieving the desired results. It is not surprising to find processes that run for years while providing no real value. A typical example might be a report that was specially designed for an executive who has since left the company. The new executive continues to receive the report. He or she may even occasionally review it out of curiosity. But the executive never leverages its content for any real purpose. This report might be highly repeatable and sustainable, but it does not provide value.

Security policies drive operational consistency by enforcing how information is handled the same way within business processes. Policies also force close oversight and measurement of the processes. Security policies often outline oversight requirements. They explain which measurements should be captured and how often reporting is required. The following oversight phases are typically found when trying to achieve operational consistency:

• Manage—Manage process execution and note exceptions to standard procedures.
• Measure—Measure volume, consistency, and quality.
• Review—Periodically assess to ensure desired results are achieved.
• Track—Track defects, errors, and incidents.
• Improve—Improve quality continuously by making adjustments as needed.

A mitigating control limits the damage caused by not having a control in place. It assumes the absence or breakdown of a primary control. It is a control after the fact. For example, suppose someone enters an invalid account number. Either a control did not exist to prevent this or that control did not work. Either way, as long as the account number is validated before further action can be taken, there is a mitigating control in place. A mitigating control, however, may not achieve the full intent of a policy.

In contrast, a compensating control achieves the desired outcome and policy intent. It doesn’t necessarily achieve it the way the policy says to do it, but the outcome is the same. Back to the example: Suppose before the account number can be entered, a master list of accounts is checked manually. Ideally the error would be caught immediately, but the manual check is still a preventive control. If the policy required an automated validation of all account numbers at time of entry, the system would be out of compliance; however, the manual check is a compensating control, and the risk is mitigated.

Understanding mitigating and compensating controls is essential in granting exceptions. What you must figure out is how much risk is left and whether that risk is acceptable.

Operational deviation is inevitable. It’s important the intent be clear in a policy. From clearly communicated intent comes a better understanding of the desired outcome. Intent also helps employees know better what risks the company is not willing to take. It is impossible to foresee every possible circumstance. For one thing, security policies tend to cover broad topics. Second, technology is always evolving. Good policies allow the employee to apply the intent and understanding of risk to situations not explicitly outlined.

Operational deviation from policy in itself may not be a problem when there is a solid business reason. However, as the number of exceptions grows, the policy’s credibility is potentially reduced. Security policies are put in place to reduce risk. Deviating from those policies could increase the risk and prevent meeting legal obligations.

To balance these interests, most organizations have an exception process. This is also called a waiver process. Typically, you submit a waiver request to a centrally managed team that reviews and approves the deviation. The waiver process examines the business rationale and tries to determine whether the exception is necessary. When implementing a waiver process, the following should be considered:

• Independence—Be independent of the business unit seeking approval.
• Impact—Examine the risk to the entire organization.
• Benefits—Understand the business benefits.
• Mitigation—Identify security controls outside of policy.
• Approvals—Residual risk should be formally accepted by management.

Residual risk is the risk that remains after security controls have been applied. When the business cannot comply with policy, the residual risk needs to be measured and compensating controls considered. A compensating control can reduce the same risk identified by policy but in a different way from what is outlined in policy. Ideally you want to implement compensating controls that reduce the same amount of risk identified in policy. If not, they should at least reduce some of the risk. When you cannot implement a preventive control as required by policy, consider using a detective control. These compensating controls may be outside policy but may be able to reduce some or all of the risk. Any remaining risk would then have to be properly approved. Proper approval includes vetting residual risk with those leaders who would be held accountable in the event the risk is realized. For example, if the application could not meet security policy requirements on protecting PII data, the CPO needs to approve the exception. Ultimately, if PII data is lost or stolen because of the policy exception, the CPO may have to explain to regulators why the exception was permitted.