[Kadrith]

My experience has been very different however I work in a place that does care about the burden placed on people by compliance. I am also heavily involved with compliance, drafting policies and the implementation of those policies. When someone wants a new policy implemented I have a rule that they are the first ones I hold to the new policy.

One example was a change to the password complexity requirements for our organization (health care); since this was approved by senior leadership I changed the passwords for senior leadership first and did not allow any exceptions to the new policy. This ensured that the people who initiated the policy and are in a position to change the policy are the first ones impacted by it. If something was horribly wrong I would only change the policy or provide an exception if anyone who met the same criteria was also to be given the exception. If the exception is by job title or position I would require that they explicitly put that in the policy; that has never been requested though.

When there is a process to communicate issues and a culture that actually cares, compliance isn't as bad. For example we instituted a stricter change management process about a year ago.

We got people together to figure out what we thought a good balance was between the compliance needs, operational needs and the problems we were attempting to solve. As we were using the new process we gathered information from people then reviewed the entire thing at around six months. Based upon the feedback we made changes to the process, loosening somethings and tightening other parts. We have another meeting to review this in a few weeks since there have been some new proposals for how to streamline the process.

As far as management learning the rules, I tend to not have too much issue with that. If they don't follow the rules and are unwilling to comply their access to all systems will be shut off; the IT security group reports to me. :) Once people know you will go so far as to shut off their access for not cooperating it is amazing how quickly they work with you when an issue arises.

For us there is always a process to get exceptions with any policy; but the person performing the action may not be authorized to give themselves an exception arbitrarily.