CyTRAP Labs - EU-ReguStand » Blog Archive » Regulation that matters: What is the difference between a standard, policy, guideline and a procedure?

Regulation that matters: What is the difference between a standard, policy, guideline and a procedure?

Earlier we brought you:

- Why Microsoft’s Office Open XML is not an open standard

- Trend - France’s public administration beginning to embrace Open Source Software and the Open Document Format

Regulation matters in the IT security business and every organization is expected to put up an IT security policy (Please click on the link, Login as guest - click on this link again and voila free access). But things can be confusing so we thought we outline and link to some explanations regarding terms you come across.

Policy

A policy is usually made-up of a set of rules (see below). A policy may also stipulate that legal compliance and adhering to certain standards (e.g., ethical ones and ISO standards) is implied and must be demonstrated in all activities undertaken on behalf of the enterprise which, of course, include IT security efforts and risk management.

Standards (Please click on the link, Login as guest - click on this link again and voila free access)
- industry standards - try to improve campatability of technology and facilitate globalisation,

- international standards - are a result of ever increasing globalization that require that countries work together in harmonising legislation to make conducting business across boarders a bit easier.

Often a firm’s policy may refer to some standards. The philoosphy or idea behind standard can also differ (you must or you may), such as:

- principles-based standards - usually based on common sense, and

rules

Rules may be written as:

- prescriptive rules

These prescriptive rules outline what must be followed - in turn, IT security pros must be able to demonstrate that they have followed these rules to achieve legal compliance. The set of rules can also be called the policy since the latter is made-up of a set of rules.

GUIDELINES AND PROCEDURES

Management may also issue guidelines that must be followed, for instance, when issueing biometric access cards to building facilities. Guidelines are suggestions for best practice.

Guidelines, in turn will result in standard security procedures that make it easier for an employee to implement and follow guidelines in his or her daily work

TREND

Globalisation has resulted in the convergence of standards

However, other things considered to be equal, while Europe may use and prefer principles-based standards, the U.S. tends to prefer prescriptive rules that are much more specific and easier to follow by auditors and others. Hence, prescriptive rules tend to be prefered by corporate lawyers.

This difference is also illustrated by ISO 17799 that is principle-based and sometimes rather open to interpretation. Cobit also strives to be principle-based, however, sometimes its specificity borders on becoming an explicit and extensive set of rules that one must follow, see also:

- How do ISO 17799 and Cobit complement each other?

WHAT IT MEANS FOR it PROS

For an IT pro the choice of standards, guidelines and much more can be confusing. However, ultimatly it all depends on the corporate policy and reaching legal compliance to avoid liability issues that could result in a big financial fall-out.

SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.

17799, audit, availability, best practice, checklist, checklist compliance rating, cobit, competition, compliance, compliance checklist, compliance demystified, compliance laws, confidentiality, converengence, corporate governance, CyTRAP Labs, CyTRAP Labs analytica services, cytrap labs compliance risk barometer, CyTRAP Labs Early Warning System EWS, cytrap labs infosec risk barometer, CyTRAP Labs legislative watch, CyTRAP Labs quicktip, cytrap labs size of risk impact guide, CyTRAP Labs tip, data security breach, due diligence, globalisation, glossary, guidelines, IFRS, information security, internal control system, internal controls, internal policies, international financial reporting standards, isaca, ISBN 978 0 9783768 0 2, iso, iso 17799, iso 17799, IT law, metrics, policies and procedures, policy, prescriptive rules, principles based standards, regulation, regulatory issues, risk assessment, roi, security audits, standards, trend, Urs+Nahums security checklist

This entry was posted on Wednesday, October 3rd, 2007 at 15:48 and is filed under

WordPress database error: [Can't find file: './Regustand/wp_post2cat.frm' (errno: 13)]
SELECT post_id, category_id FROM wp_post2cat WHERE post_id IN (61)

Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

WordPress database error: [Table './Regustand/wp_comments' is marked as crashed and last (automatic?) repair failed]
SELECT * FROM wp_comments WHERE comment_post_ID = '61' AND comment_approved = '1' ORDER BY comment_date



	UPDATED	contact :: subscribe :: news :: search :: media :: sites :: terms :: privacy

CyTRAP Labs - EU-ReguStand

Regulation that matters: What is the difference between a standard, policy, guideline and a procedure?

Leave a Reply