Why do we need management support for information security? Isn't IT responsible for information security? The technical aspect is important, but the role of management cannot be overlooked. Thornton says management must promote information security. Why must management drive this policy? The management team is legally responsible for any violations that occur. Additionally, senior management has a fiduciary responsibility to the company's assets. Our management can provide the necessary resources, including finances and personnel, needed to implement the policy. Senior management can provide clear guidance when stakeholders disagree. Finally, when senior management places importance on information security, it creates a culture where employees also recognize its importance. So how do we get executive support for our information security initiatives? First we need to start the discussion with senior management. Our goal is to draw their attention to the importance of a good information security policy. We can do this by communicating to the customer the need for compliance, the consequences of non-compliance and finally the company's responsibilities. These are all factors intended to attract management support for our safety policy. Compliance concerns affecting our company should be raised with our management. These can arise from laws at the state, federal and international levels. The Sarbanes-Oxley ACT, the Electronic Fund Transfer Act (EFTA), Massachusetts 201 CMR 17, and the Fair and Accurate Credit Transaction Act (FACTA) are just a few of these laws that require a well-supported information security policy. Regulations, including the PCI DSS (Payment Card Industry Data Security Standard) or the Red Flags Rule, can drive the need for compliance. Industry-specific guidelines, including the Federal Information Security Management Act (FISMA), the Health Insurance Portability Act (HIPAA), and Title 21 CFR Part 11 Electronic Records, also impact our compliance policies. Fear of what noncompliance entails can also attract management support. At a minimum, noncompliance can damage a company's reputation. Data breaches continue to haunt Target, Sony, and TJ Maxx, to name a few. An effective information security policy can limit damage to our reputation by defining a course of action to take in the event of a breach. Inadequate safety controls can also result in monetary damages through fines and repair costs.