Policy vs Standard
A common question is “What is the difference between a policy vs standard?”
ANSWER: In simple terms, a policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. A policy is intended to come from the CEO or board of directors that has strategic implications. However, a standard is a formally-established requirement in regard to a process, action or configuration that is meant to be an objective, quantifiable expectation to be met (e.g., 8 character password, change passwords every 90 days, etc.).
In reality, no one should ever ask for an exception to a policy. Exceptions should only be for standards when there is a legitimate business reason or technical limitation that precludes a standard from being followed (e.g., vulnerability scanning exception for a "fragile" application that breaks when scanned by the default scanning profile). It is important that if a standard is granted an exception, there should be a compensating control placed to reduce that increased risk from the lack of the required standard (e.g., segment off the application that cannot be scanned for vulnerabilities).
Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. The information below is meant to help get everyone on the same sheet of music, since words do have meanings and it is important to understand cybersecurity and privacy requirements. In the context of good cybersecurity & privacy documentation, policies and standards are key components that are intended to be hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements.
Hierarchical Approach To Documentation
In an effort to help clarify this concept, ComplianceForge Hierarchical Cybersecurity Governance Framework™ (HCGF) takes a comprehensive view towards the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care. This framework addresses the interconnectivity of policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. The Secure Controls Framework (SCF) fits into this model by providing the necessary cybersecurity and privacy controls an organization needs to implement to stay both secure and compliant.
ComplianceForge has simplified the concept of the hierarchical nature of cybersecurity and privacy documentation in the following downloadable diagram to demonstrate the unique nature of these components, as well as the dependencies that exist:
- A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes.
- Essentially, a policy is a statement of expectation, that is enforced by standards and further implemented by procedures.
- External influencers, such as statutory, regulatory, or contractual obligations, are commonly the root cause for a policy’s existence.
- Control Objectives are targets or desired conditions to be met that are designed to ensure that policy intent is met.
- Control Objectives help to establish the scope necessary to address a policy.
- Where applicable, Control Objectives should be directly linked to an industry-recognized practice (e.g., statutory, regulatory or contractual requirements).
- Standards are formally-established requirements in regard to processes, actions, and configurations.
- Standards are finite, quantifiable requirements that satisfy Control Objectives.
- Exceptions are always to Standards and never to Policies. If a standard cannot be met, it is generally necessary to implement a compensating control to mitigate the risk associated with that deficiency.
- Unlike Standards, Controls define the actual safeguards and countermeasures that are assigned to a stakeholder (e.g., an individual or team) to implement.
- Controls testing is designed to monitor and measure specific aspects of a Standard to ensure a Standard is properly implemented.
- Controls are the technical, administrative or physical safeguards that exist to prevent, detect or lessen the ability of a threat to exploit a vulnerability.
- Procedures are a formal method of doing something based on a series of actions conducted in a certain order or manner.
- Procedures are the responsibility of the asset custodian to build and maintain in support of standards and policies.
- Unlike Standards, Guidelines allow users to apply discretion or leeway in their interpretation, implementation, or use.
- Guidelines are generally recommended practices that are based on industry-recognized practices or cultural norms within an organization.
- Guidelines help augment Standards when discretion is permissible.