Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson focuses on understanding the differences between policies, standards, guidelines and procedures. A policy is something that is mandatory. A standard is not something that is mandatory; it has more to do with how we decide what a policy after offers and this can be related to the industry (e.g., healthcare, financial systems or accounting). Guidelines are a bit more suggestive; it is merely a suggestion on how to do something in a best practices type of manner. A procedure is a set of step by step instructions for getting something done. [toggle_content title="Transcript"] Alright, so now we'll think about what are the differences between policies, standards, guidelines and procedures? These are the four areas where most organizations would have some documentation showing the way they do things and where there is some leeway for decision-making and where there is not. So we'll start with policies. Policy, by definition, is something that is mandatory. At your highest level in your organization, at your executive level, the top tier, they can decide that there are certain policies which must be followed by everybody. For instance, you might have a policy that says when you join the organization you have to sign some paperwork that says that you understand that your activities on the organization's systems, the organization's networks, are going to be monitored. And you might even get a notice when you login to any given system that your activities and your actions are being monitored. This is done for the protection of the organization and the people working there. If, for instance, you were logging in to a system and did something you shouldn't have done it might have been an accident, it might have been on purpose, there was a problem that resulted: the employee, or the person who took the action, would have a difficult time trying to explain that they didn't know what they were doing was incorrect. If, in fact, they were required to sign a document as part of a policy that shows that their activities would be monitored. So it kind of closes the loop between what you're doing and what you're allowed to do. Policies, as I said, come from the upper levels of the organization. So people like presidents, vice-presidents, CEOs, CFOs, CIOs, it could be someone that's an elected official, or the head of an agency. So they're giving direction at the highest level to decide what's permissible within the organization and what isn't. This helps steer the organization through its various challenges to manage risk and to dictate how the employees of that organization are allowed to act and what they're allowed to do. So, thinking about the control objectives, as it relates to policies, another thing to bring to bear. We want to know that, if perhaps let's say an acceptable Internet use policy gets created. Every organization should have one of those. The policy might have details that say, 'You're allowed to look at your personal email. You're allowed to maybe do some online shopping. What you're not allowed to do is watch streaming video, or visit pornography sites, or gambling sites.' Those would be things that the policy would prohibit, but still allowing some personal use of the Internet while you're at work. We don't go into a lot of detail on those kinds of policies in a course like this, but it's just an example to think about. In any case, policy is implied that it's mandatory. You can't sign the agreement that says, 'I abide by the acceptable Internet use policy,' and then claim later that you didn't know you weren't supposed to go to a gambling website. That would be, you know, an obvious violation, and there should be some consequences for that. The person that makes the policy would somewhat be related to its scope. So if the policy comes from the highest level in the organization, then the scope might include the entire organization. There might be policies created at the middle level. The middle management level, let's say, and that might have a smaller scope maybe for a particular business unit, let's say, within your organization. Then you might even have a smaller scope yet where you've got a team lead or a manager of a small team who decides that they've got their own policies regarding some actions or behavior of the people that are in that particular team. So the scope stays small because that's all that's required. It doesn't need to expand to the middle level and to the upper levels of the organization. Now, let's contrast a policy with a standard. Standards are different than policies in that they're not something that's mandatorily handed down from higher up in the organization. A standard is more to do with how we decide what a policy's protections actually offer. You have different industry standards, for instance, for financial accounting or for best practices on how to manage proxies or firewalls. So the measurement points are what a standard is really trying to get at. If you're following a standard and the standard says, 'You need to look at nine different components or measurement points of a particular system in order to understand its effectiveness, or the effectiveness of security controls,' then that's what the standard is directing you to do. So once those control points are measured, then we can know if this particular control or this particular item that's being inspected is in compliance. If the standard was too loose and it just said something like, 'Measure the effectiveness of your firewall rules,' that's not enough detail to really give the auditor to say that they've looked at this in a very low level detail and they know that the firewall rules are good. A good firewall rule is not enough specificity. So a standard might dictate that you're not allowing certain traffic into the network, you're not allowing certain traffic out, you're only allowing very controlled access between points to points, or point-to-point communications between systems. That's kind of the detail that a standard might provide. Then, of course, management decides which standards are most applicable, in some cases. In other cases, standards might be applied that are because of the very nature of what the organization does: whether you're involved in healthcare or financial systems, or even government or military. Standards might vary depending on what the organization actually does. So we have our different types of standards to think about, starting with regulatory. So this, by its very name, implies that it's a law or regulation that was created by a government - A government agency. So that's where things like HIPAA and SOX, FISMA, those come into play. Then there are standards within an industry and industry standards are slightly looser in that they are usually adopted by different competitors in a given industry to have some commonality in their approach. Something like, the USB standard. Computers, whether it's a Macintosh system, a PC system, a UNIX system, they can all use the USB standard to define how you can connect things like a thumb drive. So that's an industry standard. It's not enforced in the same way that a mandatory policy would be. You're not mandating that everybody must adhere to the USB 3.0 standard. It just makes sense for them to do so because it helps their business. Helps them be more successful by adhering to certain standards. Another way to think about this is that if you're a consumer, or a customer, and you're looking for a product or a service, you might be looking for a particular standard to be met by that provider of that product or service to make sure that you're getting what you actually want. We have standards for organizations. So this comes from your executive management. And this might relate to the culture of the organization, how they do business, who they do business with, how they treat their customers. Things like the ISO standards: the International Standards Organization. The ISO standards have been widely adopted by many different industries. Some of them are even international in scope. Again, these are ways for different organizations to provide a similar level of confidence to their customers and their clients that because they're following a standard, it's safe to do business with them. What about personal standards? As an auditor, your personal standards are very important. Having personal integrity, being honest, being truthful with what you say, with what you do, the way you treat other people -The way that you treat your clients. So, if you do have high standards, you have virtuous behavior, you're honorable, you respect other people. You don't intentionally try to do things that are harmful. You don't steal. You don't lie. These are all very high ideals for anybody, but when you're working in the auditing profession, they're especially important because if you have a reputation as being dishonorable or someone who bends the truth a little bit here and there, your reputation as an auditor may suffer as a result. So it's a good idea to think about trying to be the best possible person that you can if you're involved in this profession, because if you project confidence and truthfulness and integrity then that underscores the results from your activities. It also stands to reason that someone who has high integrity and honorable behavior would not therefore share information that they shouldn't. They shouldn't steal information and try to resell it, and so on. In this day and age, when identity theft and intellectual property theft is higher than ever, these are important attributes to consider. Okay, moving on to guidelines. So we've talked about policies and standards. Now guidelines are a little looser than both of those things that we're previously discussed. A guideline is just a suggestion on how to do something in a best practices type of manner. So it's something you should do, but not something you must do. That's a way to, kind of, keep those a little bit separated. By definition, that means that guidelines are discretionary. So there could be a guideline that says that you should not spend too much time, going back to acceptable Internet use: you can use the Internet at work to read email, or maybe to visit a sports website for a little bit, but the guideline says you should maybe only do this during your lunch hour. Now, the guideline doesn't prevent you from doing this activity at other times of the day, and eventually if you abuse the privilege of using the Internet at work, it probably will catch up to you, but the guideline suggests do it during lunch, or maybe do it at the very beginning of the day, or very end of the day, so as to not have a large impact on your normal workflow. So it's a good way to think about a guideline. It's kind of like a best practices thing, but that's not really so much enforceable as a standard or a policy might be. Then we have procedures. A procedure is some kind of step-by-step instructions for getting something done. Maybe you think about it as a recipe. That's another way of thinking about it. If I have to do these particular steps, I have to do them in the right order in order to get the intended result. Best practices would guide how a procedure would be created. There might be some variation allowed, depending on the criticality of the operation being performed. But, if we have a procedure in-place, it makes sense to follow it. Someone took the time to create this so that you get a very predictable result. If there's a procedure let's say, for backing up your thumb drive with your personal files, the guideline might say that you should do that once a week or maybe even daily, depending on how important your files are. The procedure tells you the actual steps to take in order to do that: what to click, which software to load, where to store the back-up, and so on. [/toggle_content]

Video Transcription

00:04
all right, so now we'll think about
00:06
one of the differences between policies, standards, guidelines and procedures. These are the four areas where most organizations
00:14
would have some documentation showing the way they do things
00:19
and where there is some leeway for decision making where there is not, so we'll start with policies.
00:26
Policy, by definition, is something that is mandatory,
00:31
right at your highest level of the organization that your executive level the top tier.
00:36
They can decide that there are certain policies, which must be followed by everybody.
00:40
For instance, you might have a
00:43
ah policy that says that when you join the organization,
00:47
you have to sign some paperwork that says that you understand that your activities on the organization systems, the organization's networks
00:56
are going to your monitor,
00:58
and you might even get a notice when you log into any given system that your activities and your actions are being monitored.
01:07
This is done for the protection of the organization and
01:11
the people working there.
01:12
If, for instance,
01:15
you, uh, were logging into a system and did something you shouldn't have done,
01:19
it might have been an accident might have been on purpose. There was a problem that resulted
01:25
the employees or the person who took the action
01:29
would have a difficult time trying to explain that they didn't know what they were doing was incorrect.
01:34
If, in fact, they were required to sign
01:38
a document
01:40
as part of a policy
01:41
that shows that their activities will be monitored.
01:45
So it kind of closes
01:47
the loop between
01:49
what you're doing and what you're allowed to do.
01:53
Policies, as I said, come from the upper levels of the organization.
01:59
So people like
02:00
presidents, vice presidents, CEOs, CFOs,
02:05
C I. Ose
02:07
could be someone that's an elected official
02:09
or the head of an agency.
02:13
So they're giving direction at the highest level to decide what's permissible within the organization and what isn't.
02:21
And this helps steer the organization through
02:23
its various challenges
02:25
to manage risk and two,
02:30
to dictate how the employees of that organization are allowed to act on what they're allowed to do. So thinking about the
02:38
control objectives as it relates to policies, another thing to bring to bear.
02:44
We want to know that,
02:46
uh,
02:46
if perhaps a let's say a acceptable Internet use policy gets created,
02:53
uh, every organization should have one of those right.
02:58
The policy might have details that says
03:00
you're allowed to look at your personal email. You're allowed to maybe do some online shopping.
03:07
But what you're not allowed to do is watch streaming video
03:09
or visit *** sites or gambling sites.
03:15
Those would be things that the policy would prohibit,
03:17
but still allowing some personal use of the Internet while you're at work.
03:23
Um,
03:24
we don't go into a lot of detail on those kinds of policies in the course like this, but it's just a example to think about.
03:31
In any case,
03:34
policy is implied that it's mandatory,
03:37
right? You can't,
03:38
uh,
03:39
sign the agreement that says that I abide by the acceptable
03:44
Internet use policy and then claim later that you didn't know you weren't supposed to go to a gambling website.
03:50
That would be,
03:52
you know, an obvious
03:53
violation, and there should be some consequences for that.
03:59
The person that makes the policy,
04:02
uh,
04:03
would would somewhat be related to its scope.
04:08
So if the policy comes from the highest level of the organization and the scope, it might include the entire organization.
04:14
There might be policies created at the middle level,
04:15
the middle management level let's say
04:17
and then might have a smaller scope,
04:20
maybe for a
04:23
a particular business unit, Let's say within your organization
04:26
and then you might even have a smaller scope yet.
04:29
Or you've got a team lead or a manager of a small team
04:32
who decides that they've got their own policies regarding some actions or behavior of the people that are in that particular team.
04:41
So the scope stay small because that's that's all that's required. It doesn't need to expand to the middle level into the upper levels of the organization. Now let's contrast Ah, policy with a standard standards
04:53
are different than policies and that they're not something that's mandatorily
04:58
handed down from a higher up in the organization. A standard is more to do with how we,
05:05
uh,
05:06
decide what policies protections actually offer.
05:11
You have different industry standards, for instance,
05:14
for financial accounting or for
05:17
best practices on how to manage proxies or firewalls. So the measurement points
05:25
are what a standard is really trying to get A.
05:28
If you're following a standard, the standard says you need to look at a nine different
05:34
components or measurement points of a particular system in order to understand
05:40
its effectiveness or the effectiveness of security controls.
05:44
That's that's what the standard is directing you to. D'oh.
05:49
So once those control points are measured than we can know if this particular control or this particular
05:58
item that's being inspected is in compliance.
06:02
If the standard was too loose
06:04
and it just said something like
06:06
Measure the effectiveness of your firewall rules,
06:11
that's not enough detail to
06:13
to really give the auditor to say that they looked at this in
06:17
and very low level detail. They know that
06:20
the firewall rules are good.
06:24
Good firewall rules, not enough specificity.
06:28
So standard my dictate that you're not allowing certain traffic into the network. You're not allowing certain traffic out.
06:34
You're only allowing very controlled access between points. Two points are point to point communications between systems
06:43
that that's kind of detailed in a standard might provide.
06:46
And then, of course,
06:48
management decides which standards are most applicable.
06:54
In some cases,
06:56
his other cases standards may be applied that are
07:00
because of the very nature of what the organization does.
07:03
Whether you're involved in health care or financials, systems or even government or military
07:11
standards might very depending on
07:14
what the organization actually
07:15
does. So we have our different types of standards to think about, starting with regulatory.
07:20
So this, by its very name, implies that it's a law or regulation that was created by
07:27
by a, uh,
07:28
government
07:30
government agency.
07:33
So that's where things like hip on socks,
07:36
fisma those come into play.
07:40
There are standards within an industry,
07:43
and industry standards are slightly looser in that there,
07:47
usually adopted
07:49
by different competitors in a given industry to have some commonality in their approach,
07:57
something like the USB standard
08:01
computers from whether it's a Macintosh system. Ah PC system, a UNIX system, they can all use the USB standard to define how you can connect things like a thumb drive right?
08:15
So that's an industry standard.
08:18
It's not
08:18
enforced in the same way that a mandatory policy would be.
08:22
You're not mandating that everybody must
08:26
adhere to the USB three dato standard.
08:28
It just makes sense for them to do so because it helps their business
08:33
helps them be more successful by adhering to certain standards.
08:37
Another way to think about this is that if you're a consumer or a customer
08:43
and you're looking
08:43
for a product or service, you might be looking for a particular standard to be met by that provider of that product or service to make sure that you're getting what you actually want,
08:56
that we have standards for organizations.
08:58
So this comes from your executive management.
09:03
And this might relate to the culture of the organization, how they do business, who they do business with, how they treat their customers
09:13
things like the ice. So Standard international, uh,
09:18
standards organization
09:22
eso standards have been widely adopted by many different industries.
09:26
Some of them are
09:28
even international in scope
09:31
and again, these air ways for
09:33
different organizations to
09:37
providing similar
09:39
level of confidence to their customers and their clients that because they're following a standard, it's safe to do business with them.
09:46
What about personal standards?
09:50
As an auditor, your personal standards are very important
09:54
having ah,
09:56
uh, personal integrity.
09:58
Being honest,
10:00
being truthful with what you saying with what you do, the way you,
10:03
uh,
10:05
treat other people
10:07
the way that you treat your clients.
10:11
So what if you do have high standards, you have virtuous behavior,
10:16
your honorable respect, other people,
10:22
you don't intentionally try to do things that are harmful.
10:24
You don't steal
10:26
you don't lie right. These air is all very, uh,
10:31
high ideals for anybody.
10:33
But when you're working in the auditing profession,
10:35
they're especially important because
10:39
if you have a reputation as being dishonorable or or someone who bends the truth a little bit here and there,
10:46
your reputation as an auditor may suffer as a result.
10:50
So it's a good idea to think about
10:52
trying to be the best possible person that you can if you're involved in this profession,
10:58
because if you project
10:58
confidence
11:01
and truthfulness and integrity
11:03
than that
11:03
underscores the results from your activities. It's also stands to reason that
11:09
someone who has high integrity and honorable behavior would not
11:13
therefore share information that they shouldn't shouldn't steal information and try to resell it, and so on.
11:22
In this day and age, when identity theft of intellectual property
11:28
theft is higher than ever,
11:30
these air important attributes to consider
11:33
okay, moving on to guidelines. So you talked about policies and standards.
11:37
Now guidelines are a little more loose, loose than both of those things we previously discussed.
11:43
A guideline is just a suggestion
11:46
on how to do something
11:48
in a best practices type of manner,
11:52
so something you should do,
11:56
but not something you must do. That's a way to kind of keep those a little bit separated.
12:01
By definition, that means the guidelines are discretionary.
12:05
All right, so
12:07
there could be a guideline that says that you should not spend too much time going back. Thio. Acceptable Internet use
12:16
You can use the Internet at work to read email
12:20
or maybe to, uh,
12:20
to visit ah sports website for a little bit.
12:24
But the guidelines says you should maybe only do this during your lunch hour.
12:28
Right
12:30
now, the guideline doesn't prevent you from doing this activity in other times of the day.
12:35
And eventually, if you abuse the privilege of using the Internet at work,
12:39
it probably will catch up to you. But the guidelines suggests do it during launch. Or maybe you do it the very beginning of the day or very end of the day
12:48
so as to not
12:50
have a large impact on your normal work flow.
12:52
So it's a good way to think about a guideline.
12:56
It just kind of like a best practices thing. But that's not really so much enforceable as as a standard or policy might be
13:03
then we have procedures.
13:05
The procedure is some kind of step by step instructions for getting something done.
13:11
Maybe you think about is a recipe. That's that's another way of thinking about it.
13:16
If I If I have to do these particular steps,
13:18
I have to do them in the right order. In order to get the intended result, Best practices would guide how a procedure would be created.
13:30
There might be some variation allowed, depending them the criticality of the
13:33
the operation being being performed.
13:37
But if we have a procedure in place, it makes sense to follow it,
13:41
all right. Someone took the time to create this
13:43
so that you get a very predictable result.
13:46
If there's a procedure, let's say for backing up
13:50
your son drive with your personal files.
13:54
The guideline might say that you should do that once a week,
13:58
or maybe even daily, depending on how important your files are.
14:03
The procedure tells you the actual steps to take in order to do that. What to click? Which software, The load,
14:09
where to store the the backup and so on.

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor