The Information Assurance (IA) discipline is frequently concerned with the writing and/or inspection/review of various policies, standards, guidelines, processes, or plans. What's the difference? A policy is a set of high-level, general statements produced by senior management. Policies outline roles and responsibilties, define the scope of applicability, and provide a high-level description of what is required to meet the objetive of the policy. It should make reference to the standards and guidelines that support it. A documented policy is frequently a requirement to satisfy regulations or laws, such as those relating to privacy and finance. Standards are specific tools applied to a policy. It should be viewed as a business mandate and must be driven from the top (i.e. senior management) downwards in order to be effective. Standards help to enforce or support a policy and ensure consistency across the business. Standards usually contain controls relating to the implementation of specific technology, hardware or software. Guidelines are recommended, best practices that are applied to a process and support a standard if one is in place. Guidelines could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. A procedure is a step-by-step description of how to perform a task and or assist workers in implementing a policy, standard, or guideline. A plan organizes a group of task to accomplish an objective. For example, a policy is established that all corporate proprietary, financial, personally identificable information, and personal health information must be protected both at rest and in transit. A standard is requiring sensitive data at rest or in transit must be encrypted using FIPS 140-2 as the encryption algorithm. A guideline is that Public Key Infrastructure (PKI) is used to encrypt email. A procedure is to obtain a Digital ID from VeriSign, import into Outlook, select AES-256 as the encryption algorithm, select SHA-256 as the hashing algorithm, etc.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment