Why do we need management support for information security? Isn’t IT responsible for information security? The technical aspect is important, but the role of management cannot be neglected. Thornton says management must ensure information security. Why should management drive this policy? The management team is legally responsible for any failure that may occur. Additionally, senior management has a fiduciary responsibility for the company's assets. Our management can provide the necessary resources, including finances and personnel, necessary to implement the policy. Senior management can provide clear direction when stakeholders disagree. Finally, when senior management values ​​information security, it creates a culture in which employees also recognize this importance. So how can we get management support for our information security initiatives? We need to start the discussion with senior management first. Our goal is to draw their attention to the importance of a good information security policy. We can achieve this by communicating the need to comply, the consequences of non-compliance and finally the company's responsibilities to the customer. These are all factors intended to encourage management to support our security policy. Compliance issues that affect our company should be reported to our management. These may arise from laws at the state, federal and international level. The Sarbanes-Oxley ACT, the Electronic Fund Transfer Act (EFTA), Massachusetts 201 CMR 17, and the Fair and Accurate Credit Transaction Act (FACTA) are just a few of these laws that require a well-established information security policy. sustained. Regulations, including the Payment Card Industry Data Security Standard (PCI DSS) or the Red Flags Rule, may make compliance necessary. Industry-specific guidelines, including the Federal Information Security Management Act (FISMA), the Health Insurance Portability Act (HIPAA), and Title 21 CFR part 11 Electronic Records, also impact our compliance policies. Fear of the consequences of noncompliance can also attract management support. At the very least, failure to follow these rules can harm a company's reputation. Data breaches continue to haunt Target, Sony, and TJ Maxx, to name a few. An effective information security policy can limit damage to our reputation by setting out a plan of action to take in the event of a breach. Poor safety controls can also result in monetary damages in the form of fines and repair costs..