Information Security policies support compliance in many ways.
Beyond sensitising employees to the risks posed by technology, information security policies minimise the organisation’s exposure to vicarious liability for unauthorised or unlawful acts carried out by employees during the course and scope of their employment.
As a general rule an employer is vicariously liable in civil law for any wrongful act committed by his employee while in the general scope of his employment or whilst engaged in any activity reasonably incidental thereto (Mkize v Martins 1914 AD 382 at 290). An employer may also attract liability where there has been ‘passive approval’ of the activities that an employee is engaged in which may fall outside the scope of their authority. An employer is therefore responsible for ensuring that defamatory, discriminatory or racist, and the like, behaviour, whether by e-mail / Internet related activities or otherwise, does not take place in the workplace.
Compliance with laws and supporting internal audit
Information security policies also document compliances with laws and support internal auditors with their compliance checks. Examples of laws include the duty to retain certain documents in terms of certain statutes (in terms of a record retention and destruction policy).
Protecting trade secrets and know-how
Policies can serve as evidence of internal quality control processes and can give a business partner sufficient confidence to disclose confidential information and documentation.
They can also provide extra protection for sensitive intellectual property. In a court of law, policies can serve as evidence indicating that an organisation seriously took steps to protect its sensitive intellectual property, convincing the court that such intellectual property should be treated as a trade secret or know-how.
An increasingly compelling body of thinking is beginning to evolve that demonstrates that management and even technical staff may be held liable for inadequately addressing information security matters. The basis for this liability can be negligence, breach of fiduciary duty, failing to use the security measures found in other organisations in the same industry, failing to exercise the due care expected from a computer professional, or failure to act after an actual notice of compromise has occurred. Policies haven shown to be influential evidence in the eyes of various alternate dispute resolution fora in demonstrating that management has been concerned about and done something about information security.