Skip to content
Awareity
Primary Navigation Menu
Menu
  • Home
  • About
    • About
    • Awareity Butterfly Effect
    • Contact
    • Support
  • Solutions
    • Information Security Training
      • Information Security Awareness Training
      • Awareness and Accountability Vault (AAV)
    • Prevention and Connecting the Dots Platform
    • Prevention and GAP Assessment
    • Threat Assessment Teams
    • Climate Surveys
    • Resellers
    • Industries
      • K12
      • Higher Education
      • Diocese
      • Healthcare
      • Government
      • Corporate
  • Blog
  • Info Request

What is a “Failure to Implement”?

By: Awareity
On: April 19, 2010

 

Recently, Awareity’s CEO, Rick Shaw, was asked to present at the Infotec conference in Omaha.   During his presentation, “The Truths (and Myths) About Assessments, Planning and Implementing”, Rick discussed the three-legged stool each organization is sitting on, and the importance of all three legs (Assessments, Planning/Developing and Implementing).

Most organizations understand the importance of assessments and planning, but where many fail to deliver is in the implementation phase.   As we have seen with numerous headlines and lessons learned, a failure to implement can lead to expensive fines, lawsuits, breaches and losses.  Rick used a case study for CVS Caremark.   Due to employees carelessly tossing old pill bottles into a store’s dumpster, CVS now has the FTC coming to audit their information security program for the next 20 years and was forced to pay a HIPAA violation fine of $2.25 M.

The  FTC Complaint Docket No. C-4259 read:

 “Among other things, respondent failed to: 1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal.”

During the presentation, one woman raised her hand and asked, “What do you mean by “implement”?  How do you “implement” your policies and procedures once they are created?”

I thought this was a great question and one that should be expanded upon.

An organization can have the best security policy (or plan, program, etc.) in the world, but if the policy is not implemented down to the individual-level, how will individuals be able to help the organization achieve better results?

If your organization is just blasting your security policies out to your people in e-mails and memos…how do you know if anyone received the email or is reading the policies and understands them? Or perhaps you are sending out updated pages for the employee handbooks or manuals…how can you ensure your employees are actually reading these policies?  Are the binders just sitting on a shelf untouched?

Implementing policies, procedures, plans and processes means organizations have documentation and proof that individuals have read, understood and acknowledged their roles and responsibilities.  Regulations require proof of implementation.  Legal due diligence requires proof of implementation.  Lessons Learned continue to prove that organizations that lack implementation will continue to experience expensive and embarrassing results.

Organizations must ensure all appropriate individuals (employees, third-parties, etc.) are receiving updated policies and guidelines, reading the policies, understanding the policies, and acknowledging their individual roles and responsibilities.   Providing employees with a once-a-year general training session is not good enough as we know risks, threats, best practices, etc. are constantly changing.  The bad guys are not taking 364 days off, is your organization?

Share this post to help us connect the dots...Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Print this page
Print
2010-04-19
Previous Post: Lack of Awareness Kills…
Next Post: Mounting Challenges with People and Processes…Do you need a Tractor?

READ MORE:

WATCH MORE:


Get Solutions For Your Challenges!
 
 
 
 
 
 
Don't worry, we will only call if you request "Phone" as your contact preference. We hate spam calls too!


Not seeing the form to request information? Drop us a line and we'll send you more information!

Recent Blog Posts

Cyberattacks: The Solution Requires EVERYONE Staying Alert and Aware

January 18, 2021

Nashville Attack – A Call to Action to Revolutionize Community Safety

January 12, 2021

Threat Assessment Teams: Six Tools Most Community and Organization TATs Are Missing

January 7, 2021

Connecting the Dots: Stopping Human Trafficking

November 5, 2020

Ransomware Solutions: Ongoing Awareness and Accountability Vault

October 1, 2020

Support

Need more information on
Support for AAV or TIPS?

Click here

What are you looking for?

Connect the Dots With Us!

| |

Designed using Dispatch Premium. Powered by WordPress.

This site uses cookies to ensure that we give you the best experience on our website. Continuing to use this site means you are agreeing to the use of cookies.Ok