The lack of sustainable control environments is a top contributor to ineffective controls and data breaches. Sustainable security and compliance are achieved by demonstrating a consistent capability to maintain ongoing operation of all required security controls. This capability prevents or minimizes future deviation from required performance standards. Organizations achieve sustainability by design (i.e., by building sustainability into the functional, operational specifications of the compliance program and reinforcing it through frequent education, training and awareness). The 9 Factors of Control Effectiveness and Sustainability, described below, structure compliance programs effectively for data protection and establish key success factors in corporate security management.

Factor 1: Control Environment

Effective control environments require knowledgeable people who understand responsibilities and limitations and are competent and committed to organizational policies, standards and procedures – doing what’s right in the right way. Management must create a security-conscious culture. Organizational culture determines the degree of the control environment’s health – defined and enforced through values, priorities, management styles, standards, processes and organizational framework. A control environment with a defined internal control ...