On Accreditation and Compliance

I work for an accredited law enforcement agency. Dually accredited actually, holding sheepskins from both the Commission on Accreditation for Law Enforcement Agencies (CALEA) and the Pennsylviania Law Enforcement Accreditation Commission (PLEAC). We're one of the few agencies in the state that hold both the national and state accreditation titles. This an accomplishment to be proud of for sure, but it's expensive, burdensome, and at the end of the day may or may not make us better at policing.

The policy demands pushed down by various oversight organizations have been fast and furious in the aftermath of the death of George Floyd and the resulting focus on police. Particularly in the application of the use of force. Agencies that were accredited already met most of the policy demands called for by reformers but the need to look responsive is irresistible. Policies are tweaked, the language changed, “enacted dates” are updated to be current, and press releases touting agency reforms are issued. Some of these changes are badly needed, some are just policing reform theatre.

I'm a supporter of accreditation and believe that it's something every law enforcement agency should strive for. It's good for the leadership, it's good for the taxpayers, and at the end of the day, it's good for the individual officers. If the members of the agencies follow the policies as written they will be less likely to be questioned, disciplined, and end up named in a laws suit. And that is good for everyone. But it's not that easy. The policies are so vast, so broad, and some so complex, that compliance is difficult to achieve. Even for the best-intentioned officer. Many policy violations aren't because of deliberate intent, it is because the officer is making a split-minute decision while under extreme stress. The angle of his knee, on an actively resisting suspect's back, is the last thing on his mind. On the other hand, some are deliberately disregarded because they are complex, overly broad, and nearly impossible to comply with all of the time. Some officers believe, why even try?

Accreditation and compliance is also big business in the world of information security. And with ultimately the same result. Compliance is not security. If you believe that your organization is secure because it is deemed compliant you are going to be terribly disappointed. And look like a fool. Compliance models are a set of best practices that will lead the agency to a more productive and secure environment but you can't just enact the framework, declare yourself secure, and walk away.

And just like policing, there is a severe disconnect between the written policy and the actions of the end-user. Consider the standards of NIST, ISO, HIPAA, or PCI-DSS, not from the view of a security practitioner, but of the end-user. Review them from the mindset of an engineer, data entry clerk, call center supervisor, teacher, nurse, or any other job position within your organization that is not within the legal and security division. It's a completely different outlook.

I'm willing to bet that when asked how they feel about your information and financial compliance model they will claim the policies are “complex, overbroad, and nearly impossible to comply with”. And that is if they even know what you are asking. Asking the question “how do you feel about (enter framework here)” is probably going to get you a lot of blank looks.

You can preach the benefits of best practices until blue in the face, conduct training and after training, and carry through with discipline of violators, but you're never going to gain 100% adherence to your compliance program. And it only takes one person to sink a ship of thousands. One bad decision by a single cop sullies the entire profession. One bad decision by a single employee with administrator rights compromises the entire network.

Accreditation does not mean compliance. Compliance does not mean security.

#infosec #cybersecurity #risk