Relationship between policy and standardInformation Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Information Assurance, Governance, Risk and Compliance Relationship between policy and standard

This topic contains 16 replies, has 10 voices, and was last updated by  davidmmorris 2 years, 6 months ago.

Viewing 17 posts - 1 through 17 (of 17 total)
  • Author
    Posts
  • #74533

    ankurj.hazarika
    Participant

    Which answer will you choose?

    What is the relationship between policies and standards?

    a) Policies detail what should be done, and the standards detail how
    b) Policies describe the security vision, and standards detail what should be done.

    #74535

    SecureMe!
    Participant

    B

    #74548

    Eric
    Participant

    B

    #74552

    ankurj.hazarika
    Participant

    I selected “b” as well, but McGraw Hill says “a”. It cannot be “a”.

    #75446

    eatondave
    Participant

    Actually I’d go A. But then I see there being a third level of ‘procedures’ which is where the detailed ‘how’ would sit. As an example you might have a Policy statement that all users must be authenticated and access must be authorised. You may have Standards that describe the valid types of authentication and methods of authorisation, but for day to day operations you need a procedure which sets out how an Active Directory will be set up and managed.

    #75534

    Chin_Diesel
    Moderator

    Both of those answers seem a bit off, but A is closest to what I would say “right” is. Instead of “standard,” I would say “standard operating procedure” would be the proper term that says how something should be implemented. I guess, technically, if you think of a standard, like EIA/TIA 568B, which is a standard for your regular straight-through patch cable, then yes, a standard does indeed specify how something should be done.

    #75552

    cisatrainee1
    Participant

    Policy: A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area. Policies always state required actions, and may include pointers to standards. Policy attributes include the following:

    Require compliance (mandatory)
    Failure to comply results in disciplinary action
    Focus on desired results, not on means of implementation
    Further defined by standards and guidelines

    Standard: A mandatory action or rule designed to support and conform to a policy.

    A standard should make a policy more meaningful and effective.
    A standard must include one or more accepted specifications for hardware, software, or behavior.

    Guideline: General statements, recommendations, or administrative instructions designed to achieve the policy’s objectives by providing a framework within which to implement procedures.

    A guideline can change frequently based on the environment and should be reviewed more frequently than standards and policies.
    A guideline is not mandatory, rather a suggestion of a best practice. Hence “guidelines” and “best practice” are interchangeable

    Procedures: Procedures describe the process: who does what, when they do it, and under what criteria. They can be text based or outlined in a process map. Represent implementation of Policy.

    A series of steps taken to accomplish an end goal.
    Procedures define “how” to protect resources and are the mechanisms to enforce policy.
    Procedures provide a quick reference in times of crisis.
    Procedures help eliminate the problem of a single point of failure.
    Also known as a SOP (Standard Operating Procedure)

    #77564

    Apáti László
    Participant

    Can you please list some general top-level policy here?
    Should they like these?
    “ensure that information is accessible only to those authorised to have access”
    “define an information classification scheme describing classes and how information of a particular class should be managed (stored, accessed, transmitted, shared, and disposed of)”

    From these procedures have to be derived?

    #77649

    ankurj.hazarika
    Participant

    Guys, I have a question. Let’s take ISO 27001 for instance as the example of a “standard”. It is indeed an international standard. Does it detail “how” to implement an ISMS or “what” should be done to implement an ISMS. I say it’s “what”. The “how” is specified by ISO 27002 which is not a standard, rather a guideline. In that case, wouldn’t “a” be incorrect?

    #77662

    Apáti László
    Participant

    “How” is always contextual, and rapidly changing as technology develops.

    #77665

    ankurj.hazarika
    Participant

    Didn’t understand. Pray elucidate.

    #77788

    Apáti László
    Participant

    A nice example would be enlightening me in a defined topic (i.e. backup, virus protection, anything)
    What is a top level policy, a policy, a procedure, a standard and a guideline considering one topic above?

    In my mind (correct me, only guessing more or less here!) on backup:
    – business requirement: the continuous business flow
    – top level policy: “we have to ensure that company data is available all the time”
    – a policy, derived from top level policy: “we need to backup company data fulfilling the business request”
    – a procedure for a policy “define data to backup; define RTO and RPO; set up scheduled backup, etc.”
    – a standard “for backup we need to have a dalily rotation of tapes, keep the last 10 sundays’ full backup; need to store a copy off-site, etc.”
    – a guideline “Make sure your off-site storage facility meets the environmental storage requirements for archive noted above”

    I’m really not sure here, please help me sorting this out! Maybe on an other topic as well!

    #77824

    Apáti László
    Participant

    Or the standard is the actual way how the company handles backup? (sw, settings, etc?)

    #78116

    Apáti László
    Participant

    This topic seems to be dead… 🙁

    #79035

    kj2015
    Participant

    Policies

    An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management.

    Standards

    Standards consist of specific low level mandatory controls that help enforce and support the information security policy.

    #111397

    yuningpu
    Participant

    thank you for the great input

    #112297

    davidmmorris
    Participant

    B but it is not as simplistic as that though

Viewing 17 posts - 1 through 17 (of 17 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel