Some Thoughts on “Malicious Compliance”

Posted February 22nd, 2007 by

Malicious compliance (thanks for the name, Steve) is the act of generating literally waist-high stacks of documentation in order to satisfy the auditors with a snide comment like “You wanted documentation, you got it now”.  While it’s not exclusive to the government, I think we have a big, broad corner on the market when it comes to malicious compliance.  The BOFH in me likes malicious compliance, but it’s really no way to manage information security.

There are many problems with this approach, but I think the most important thing is that usually the documents created during malicious compliance are not grounded in reality, nor do they relate to “adequate security” as we define it.  Really all we’re doing is wasting time and money in order to “game” the way information assurance works.  Hmmm, I sound like one of the FISMA critics today.

So why does malicious compliance occur?  Well, I have seen it on several projects, but usually it all comes down to 2 factors:  there is a gap in understanding of information assurance, and/or a personality conflict exists between auditors/evaluators and the project team.

No surprise, there is a shortage of skilled information assurance staff.  There is a significant amount of people who come from non-security (technical writing, journalism, etc) backgrounds that are put into certification and accreditation roles.  They just don’t know how security controls work, nor do I expect them to.  Don’t get me wrong, there is a place for these people, but it involves doing final editing and document control, not developing content for security plans.

I used to have a boss that would tear up all of my writing, saying things like “This paragraph is written in passive voice,” or “You need to go through this line-by-line to make sure that all the periods have 2 spaces after them.  The crux of the matter is that I’m not a big guy on style and formatting, I focus more on the content.

When it comes to auditors, in the words of a friend, “They know what they know, and what the know are checklists.”   At some point in the public sector, you’ll find an auditor who can’t see past their checklist.  They want to do well, they want to protect the data that has been entrusted to the government.  But it’s a hard position to be in because you are coming in and in a matter of days you have to make an evaluation of what the system owner has had months (sometimes years) to look at.

Notice a common theme here?  It’s all about personnel management in information security.  You can’t get the job done without skilled people.  Most of the time, what I’ve noticed is that instead of building real security, we’re stuck dealing with personnel management.

Similar Posts:

Posted in FISMA, Rants, What Doesn't Work | No Comments »

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: