Posts

Policy vs Standard vs Procedure: why, what, how

/in

Ever wondered what the differences between these terms are?

We use them in GRC very often, but we rarely think what they mean. This creates in time some stretching of these concepts, meaning that their meanings overlap to a certain degree.

 

A Policy is a high-level, mandatory statement of principles and intent.
A Standard is a mandatory, specific requirement that defines what is needed to comply with a policy.
A Procedure is a detailed, step-by-step set of instructions on how to implement a standard or fulfill a policy.
Policies set goals, standards define the required outcomes, and procedures provide the detailed roadmap to achieve them, forming a hierarchical structure within an organization.

Policy

What is it
A high-level, broad statement of principles, intent, or requirements designed to guide decisions and achieve outcomes.
Purpose
To establish strategic goals, the intent, to support an organization’s mission, comply with laws, or minimize risk.
Answers
Describes the Why must something be done.
Mandatory
Yes, policies are mandatory and define why must something be done. Because of their generic nature of defining the need and not the implementation, they rarely change and are not negotiable.
Example
An IT Security Policy that states the organization will protect sensitive data from unauthorized access.

Standard 

What is it
A mandatory, specific technical requirement or rule that provides concrete, measurable details for policy compliance.
Purpose
To provide the specific rules, metrics, and technical configurations necessary to make policies meaningful and effective.
Answers
Describes the What must be done to implement the policy.
Mandatory
Yes, standards are mandatory and define specific configurations, timelines, or processes. Because of their specific nature of describing the implementation, they can change because of the dynamic of the specific industry.
Example
An IT Security Standard for Encryption data that is required by a Policy that states that the organization will protect sensitive data from unauthorized access. The standard will define what encryption algorithm will be used, when to use it, what kind of data should be encrypted and who is responsible for implementing it.

Procedure

What is it 
A detailed, step-by-step set of instructions outlining the specific actions to be performed to implement a standard or policy. 

Purpose
To provide clear, actionable guidance on how to execute a task and to ensure consistent, repeatable measurable results. It also defines Who should do something and When.

Answers
Describes the How must something be done that is defined by the standard or directly by the policy.
Mandatory
Yes, procedures are mandatory and specify the exact steps an employee must follow. Because they define detailed requirements on how to implement a standard or policy, they change as needed. 

Example
A step-by-step instruction set on how to encrypt data in a database, a hard drive, emails and other types of information.

How They Work Together (Hierarchically) 

  1. Policy (The Goal)The high-level statement of intent, like an IT security policy.
  2. Standard (The Rule)The specific requirements that support the policy, such as password complexity standards.
  3. Procedure (The Steps)The detailed instructions on how to follow the standard, like the steps to change a password.
This top-down structure ensures that policies are actionable and that goals are met through consistent, documented processes.

What about Guidelines?

Guidelinesare at the bottom, offering recommended and flexible support for the entire framework. They are optional and usually accompany procedures and standards.

Read more

The post Policy vs Standard vs Procedure: why, what, how first appeared on Sorin Mustaca’s blog.

Demystifying cybersecurity terms: Policy, Standard, Procedure, Controls, Framework, Zero Trust

/in

I am often asked what is the difference between Policy, Standard, Procedure in cybersecurity.

Well, here it is:

1. Cybersecurity Standard

A cybersecurity standard is a set of guidelines, criteria, or best practices that organizations follow to ensure that their security controls and procedures align with industry standards or regulatory requirements. Standards provide a benchmark for measuring security maturity and often serve as a reference for audits and assessments. Common cybersecurity standards include ISO 27001, NIST Cybersecurity Framework, and CIS Controls.

2. Cybersecurity Framework

A cybersecurity framework is a structured approach to managing and improving an organization’s cybersecurity posture. It’s a comprehensive set of best practices, guidelines, and tools designed to help organizations assess, develop, and enhance their cybersecurity programs. Frameworks provide a strategic perspective and often include a collection of policies, procedures, controls, and standards. Prominent frameworks include NIST Cybersecurity Framework, CIS Critical Security Controls, and ISO 27001.

As can be seen, a standard often doesn’t come alone, it comes with a framework, which allows the implementer to start quickly and create a basis for the cybersecurity implementation.

3. Cybersecurity Policy

A cybersecurity policy is a foundational document that sets the overarching principles and guidelines for an organization’s security posture. It is a high-level, strategic document that outlines the organization’s commitment to security, the roles and responsibilities of individuals and departments in safeguarding assets, and the consequences of non-compliance. Cybersecurity policies are essential for aligning security efforts with business goals and regulatory requirements.

4. Cybersecurity Procedure

While policies provide a high-level framework, procedures are the detailed step-by-step instructions that help employees or security personnel implement the policies effectively. Procedures are specific and actionable, often detailing how to respond to security incidents, configure software securely, or conduct security audits. They ensure consistency and best practices are followed in day-to-day operations.

5. Cybersecurity Control

Controls are measures, safeguards, or countermeasures that organizations put in place to protect their information systems and data. Controls can be technical, administrative, or physical in nature. They are designed to mitigate risks by preventing, detecting, or responding to security threats. Examples include firewalls, access controls, encryption, and antivirus software.

In summary, these four terms play distinct but interrelated roles in the world of cybersecurity. Policies set the overarching goals and principles, procedures provide the detailed instructions for implementation, controls are the measures and safeguards in place to protect against threats, and standards offer a reference point to ensure compliance with established best practices.

Effective cybersecurity requires a holistic approach that encompasses all these elements. By establishing clear policies, well-documented procedures, robust controls, and adherence to industry standards, organizations can better defend themselves against the ever-evolving threat landscape and protect their sensitive data and digital assets.

6. Zero Trust

Zero Trust in Cybersecurity: from myth to the guide

 

7. Authentication and Authorization

https://www.sorinmustaca.com/authentication-vs-authorization

 

The post Demystifying cybersecurity terms: Policy, Standard, Procedure, Controls, Framework, Zero Trust first appeared on Sorin Mustaca on Cybersecurity.