Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson focuses on understanding the differences between policies, standards, guidelines and procedures. A policy is something that is mandatory. A standard is not something that is mandatory; it has more to do with how we decide what a policy after offers and this can be related to the industry (e.g., healthcare, financial systems or accounting). Guidelines are a bit more suggestive; it is merely a suggestion on how to do something in a best practices type of manner. A procedure is a set of step by step instructions for getting something done. [toggle_content title="Transcript"] Alright, so now we'll think about what are the differences between policies, standards, guidelines and procedures? These are the four areas where most organizations would have some documentation showing the way they do things and where there is some leeway for decision-making and where there is not. So we'll start with policies. Policy, by definition, is something that is mandatory. At your highest level in your organization, at your executive level, the top tier, they can decide that there are certain policies which must be followed by everybody. For instance, you might have a policy that says when you join the organization you have to sign some paperwork that says that you understand that your activities on the organization's systems, the organization's networks, are going to be monitored. And you might even get a notice when you login to any given system that your activities and your actions are being monitored. This is done for the protection of the organization and the people working there. If, for instance, you were logging in to a system and did something you shouldn't have done it might have been an accident, it might have been on purpose, there was a problem that resulted: the employee, or the person who took the action, would have a difficult time trying to explain that they didn't know what they were doing was incorrect. If, in fact, they were required to sign a document as part of a policy that shows that their activities would be monitored. So it kind of closes the loop between what you're doing and what you're allowed to do. Policies, as I said, come from the upper levels of the organization. So people like presidents, vice-presidents, CEOs, CFOs, CIOs, it could be someone that's an elected official, or the head of an agency. So they're giving direction at the highest level to decide what's permissible within the organization and what isn't. This helps steer the organization through its various challenges to manage risk and to dictate how the employees of that organization are allowed to act and what they're allowed to do. So, thinking about the control objectives, as it relates to policies, another thing to bring to bear. We want to know that, if perhaps let's say an acceptable Internet use policy gets created. Every organization should have one of those. The policy might have details that say, 'You're allowed to look at your personal email. You're allowed to maybe do some online shopping. What you're not allowed to do is watch streaming video, or visit pornography sites, or gambling sites.' Those would be things that the policy would prohibit, but still allowing some personal use of the Internet while you're at work. We don't go into a lot of detail on those kinds of policies in a course like this, but it's just an example to think about. In any case, policy is implied that it's mandatory. You can't sign the agreement that says, 'I abide by the acceptable Internet use policy,' and then claim later that you didn't know you weren't supposed to go to a gambling website. That would be, you know, an obvious violation, and there should be some consequences for that. The person that makes the policy would somewhat be related to its scope. So if the policy comes from the highest level in the organization, then the scope might include the entire organization. There might be policies created at the middle level. The middle management level, let's say, and that might have a smaller scope maybe for a particular business unit, let's say, within your organization. Then you might even have a smaller scope yet where you've got a team lead or a manager of a small team who decides that they've got their own policies regarding some actions or behavior of the people that are in that particular team. So the scope stays small because that's all that's required. It doesn't need to expand to the middle level and to the upper levels of the organization. Now, let's contrast a policy with a standard. Standards are different than policies in that they're not something that's mandatorily handed down from higher up in the organization. A standard is more to do with how we decide what a policy's protections actually offer. You have different industry standards, for instance, for financial accounting or for best practices on how to manage proxies or firewalls. So the measurement points are what a standard is really trying to get at. If you're following a standard and the standard says, 'You need to look at nine different components or measurement points of a particular system in order to understand its effectiveness, or the effectiveness of security controls,' then that's what the standard is directing you to do. So once those control points are measured, then we can know if this particular control or this particular item that's being inspected is in compliance. If the standard was too loose and it just said something like, 'Measure the effectiveness of your firewall rules,' that's not enough detail to really give the auditor to say that they've looked at this in a very low level detail and they know that the firewall rules are good. A good firewall rule is not enough specificity. So a standard might dictate that you're not allowing certain traffic into the network, you're not allowing certain traffic out, you're only allowing very controlled access between points to points, or point-to-point communications between systems. That's kind of the detail that a standard might provide. Then, of course, management decides which standards are most applicable, in some cases. In other cases, standards might be applied that are because of the very nature of what the organization does: whether you're involved in healthcare or financial systems, or even government or military. Standards might vary depending on what the organization actually does. So we have our different types of standards to think about, starting with regulatory. So this, by its very name, implies that it's a law or regulation that was created by a government - A government agency. So that's where things like HIPAA and SOX, FISMA, those come into play. Then there are standards within an industry and industry standards are slightly looser in that they are usually adopted by different competitors in a given industry to have some commonality in their approach. Something like, the USB standard. Computers, whether it's a Macintosh system, a PC system, a UNIX system, they can all use the USB standard to define how you can connect things like a thumb drive. So that's an industry standard. It's not enforced in the same way that a mandatory policy would be. You're not mandating that everybody must adhere to the USB 3.0 standard. It just makes sense for them to do so because it helps their business. Helps them be more successful by adhering to certain standards. Another way to think about this is that if you're a consumer, or a customer, and you're looking for a product or a service, you might be looking for a particular standard to be met by that provider of that product or service to make sure that you're getting what you actually want. We have standards for organizations. So this comes from your executive management. And this might relate to the culture of the organization, how they do business, who they do business with, how they treat their customers. Things like the ISO standards: the International Standards Organization. The ISO standards have been widely adopted by many different industries. Some of them are even international in scope. Again, these are ways for different organizations to provide a similar level of confidence to their customers and their clients that because they're following a standard, it's safe to do business with them. What about personal standards? As an auditor, your personal standards are very important. Having personal integrity, being honest, being truthful with what you say, with what you do, the way you treat other people -The way that you treat your clients. So, if you do have high standards, you have virtuous behavior, you're honorable, you respect other people. You don't intentionally try to do things that are harmful. You don't steal. You don't lie. These are all very high ideals for anybody, but when you're working in the auditing profession, they're especially important because if you have a reputation as being dishonorable or someone who bends the truth a little bit here and there, your reputation as an auditor may suffer as a result. So it's a good idea to think about trying to be the best possible person that you can if you're involved in this profession, because if you project confidence and truthfulness and integrity then that underscores the results from your activities. It also stands to reason that someone who has high integrity and honorable behavior would not therefore share information that they shouldn't. They shouldn't steal information and try to resell it, and so on. In this day and age, when identity theft and intellectual property theft is higher than ever, these are important attributes to consider. Okay, moving on to guidelines. So we've talked about policies and standards. Now guidelines are a little looser than both of those things that we're previously discussed. A guideline is just a suggestion on how to do something in a best practices type of manner. So it's something you should do, but not something you must do. That's a way to, kind of, keep those a little bit separated. By definition, that means that guidelines are discretionary. So there could be a guideline that says that you should not spend too much time, going back to acceptable Internet use: you can use the Internet at work to read email, or maybe to visit a sports website for a little bit, but the guideline says you should maybe only do this during your lunch hour. Now, the guideline doesn't prevent you from doing this activity at other times of the day, and eventually if you abuse the privilege of using the Internet at work, it probably will catch up to you, but the guideline suggests do it during lunch, or maybe do it at the very beginning of the day, or very end of the day, so as to not have a large impact on your normal workflow. So it's a good way to think about a guideline. It's kind of like a best practices thing, but that's not really so much enforceable as a standard or a policy might be. Then we have procedures. A procedure is some kind of step-by-step instructions for getting something done. Maybe you think about it as a recipe. That's another way of thinking about it. If I have to do these particular steps, I have to do them in the right order in order to get the intended result. Best practices would guide how a procedure would be created. There might be some variation allowed, depending on the criticality of the operation being performed. But, if we have a procedure in-place, it makes sense to follow it. Someone took the time to create this so that you get a very predictable result. If there's a procedure let's say, for backing up your thumb drive with your personal files, the guideline might say that you should do that once a week or maybe even daily, depending on how important your files are. The procedure tells you the actual steps to take in order to do that: what to click, which software to load, where to store the back-up, and so on. [/toggle_content]