[Kadrith]

Presumably the organization has already performed a risk analysis and determined that the existing compliance program is sufficient to address the risks and threats while not being too burdensome. The OP and many others may disagree, but it is not their call to arbitrarily change how things are done.

I'm in charge of IT security and the designated HIPAA Security Officer for a health network. Some of my favorite conversations will typically begin with someone saying that they will follow the rules when they believe the rules make sense.

[daemon13]

As is often the case, the people who perform risk analysis and prepare recommendations are different from people who actually implement & enforce compliance [management].

Agree that there is not much one can do, since the 'in'compliance badge is a one-way ticket.

There is a difference between following the rules at own discretion and actually knowing & understanding the rules, accurately assessing the risk for each specific business case and making the right decision.

Usually typical management types do not take time or are willing to learn the rules. Hence, in the absense of knowledge they prefer to be on a safe side, i.e. err to hitting every moving object.

[Kadrith]

My experience has been very different however I work in a place that does care about the burden placed on people by compliance. I am also heavily involved with compliance, drafting policies and the implementation of those policies. When someone wants a new policy implemented I have a rule that they are the first ones I hold to the new policy.

One example was a change to the password complexity requirements for our organization (health care); since this was approved by senior leadership I changed the passwords for senior leadership first and did not allow any exceptions to the new policy. This ensured that the people who initiated the policy and are in a position to change the policy are the first ones impacted by it. If something was horribly wrong I would only change the policy or provide an exception if anyone who met the same criteria was also to be given the exception. If the exception is by job title or position I would require that they explicitly put that in the policy; that has never been requested though.

When there is a process to communicate issues and a culture that actually cares, compliance isn't as bad. For example we instituted a stricter change management process about a year ago.

We got people together to figure out what we thought a good balance was between the compliance needs, operational needs and the problems we were attempting to solve. As we were using the new process we gathered information from people then reviewed the entire thing at around six months. Based upon the feedback we made changes to the process, loosening somethings and tightening other parts. We have another meeting to review this in a few weeks since there have been some new proposals for how to streamline the process.

As far as management learning the rules, I tend to not have too much issue with that. If they don't follow the rules and are unwilling to comply their access to all systems will be shut off; the IT security group reports to me. :) Once people know you will go so far as to shut off their access for not cooperating it is amazing how quickly they work with you when an issue arises.

For us there is always a process to get exceptions with any policy; but the person performing the action may not be authorized to give themselves an exception arbitrarily.