When we say that we are "complying," we are saying that we are complying with authoritative rules that are not of our own creation. (OK, so some of you reading this are, in fact, responsible for creating these rules - that's why you bought this in the first place. But when you're creating these rules you are not you, but rather you are your organization. So you, as yourself, are obligated to comply with the rules created by you as your organization. Got it?) These authoritative rules can come in the form of regulations, principles, standards, guidelines, best practices, policies, and procedures. Which is which, and what makes one authoritative body a regulator and another a best practice author? Let's start with regulations and move from there.
Regulations
are rules of law that, if not followed, can result in penalties. Regulations
state that something must be done. Regulations are promulgated by governmental
agencies to interpret or expand the reach of statutes.
Standards
are rallying points created by well organized groups or are generally accepted
within the industry. Standards rally the affected entities around what
must be done.
Guidelines
are detailed outlines and plans for determining a course of action. Guidelines prioritize
and direct the course of action.
Best
practices are programs, initiatives or activities which are considered leading
edge or exceptional models for others to follow. Best practices set the
example of how to do something the best way.
Collectively, we refer to these as authority documents throughout this book and throughout all of the other documentation within the Unified Compliance Framework.
Regulations
To regulate is to bring under the force of law or a governing authority. Everyone in his or her own country falls within the realm of the national, regional, and local laws. Hence, traditional regulators are those within the levels of government just mentioned. When governmental agencies create their acts, they are codifying legal documents that resulted from deliberations of their legislative bodies. Often, however, the acts passed by those legislative bodies establish broad principles rather than detailed prescriptions for the behavior of people and companies and delegate to regulators responsibility for filling in the details and gaps. The regulators are empowered to interpret how the laws are to be implemented and to establish rules for following those laws. Those rules are then documented as regulations, such as the Code of Federal Regulations that we have in the United States. These acts and regulations, therefore, must be followed under penalty of law.
Regulations are enforceable by law. Failure to follow regulations will result in penalties.
Contractual and self-regulatory structures
There is much confusion between "regulations" promulgated by government regulators as discussed above and the rules, standards and, yes, "regulations" promulgated by other so-called regulatory bodies and other organizations that can and do emerge to reign in our actions. Variously known as "self-regulatory bodies," "standards bodies," or by similar names, these organizations are not part of the government and do not have the force of law behind their requirements, but failure to comply with those requirements may well disqualify an entity from participating in certain businesses. The promulgators of these rules may be industry-based organizations that band together to address a concern that is common to industry members. For example, the credit card companies (Visa, MasterCard, American Express, etc.) have banded together to create the Payment Card Industry Security Standard. They may also be self-appointed watchdog organizations that have gained sufficient acceptance, prominence and/or moral authority over time that people turn to them as authorities in the field. For example, the ability to display the BBBOnline and TRUSTe seals in online commerce has achieved this type of prominence that makes it worthwhile to comply with those standards. Certain membership based organizations promote similar types of rules as a condition of membership. The unifying principle is that they all have something you want and you're willing to contractually commit to play by their rules to get it.
We'll get to the definition of a standard in a moment, but just because this one is called a standard (it can't be called a law, Act, or regulation because it does not come from the government), doesn't mean that it can be ignored without consequences. Compliance with these types of contractual standards are, legally speaking, optional. If a company is not interested in accepting credit cards as a form of payment, it is not obligated to comply with the PCI standards. However, anyone wanting to accept credit cards is required to contractually agree to comply with the PCI standard. Similarly, anyone wanting to display the BBBOnline seal must contractually agree to follow certain guidelines and processes. Failure to comply with these obligations creates a breach of contract and, depending on the contract terms, may result in a variety of fines and, potentially, the loss of valuable contractual rights - losing the ability to accept credit cards in the case of the PCI standards could have grave consequences to just about any merchant. Losing the right to use the BBBOnline or TRUSTe seals may not have as severe an effect on a merchant as being unable to accept credit cards, but it could drive customers away to competitor sites - particularly if the contractual breach is widely publicized. The payment card industry has already fined a great many organizations and affected the closure of at least one organization that we know of for not properly following their standard. Because the payment card industry can exercise authority over its user body, and that user body is so large, in this instance they can be compared to regulators even though they haven't been given the statutory mandate of a regulator. However, there is one big difference between the payment card industry and true regulators - while the payment card industry may be able put you out of business, they can't put you in jail.
Contractual standards promulgated by self-regulatory bodies are enforceable under contract. Failure to comply carries with it the remedies established by the contract which may include fines and/or loss of valuable contract rights and such consequences are enforceable under contract law.
Principles
A principle is a widely accepted rule, norm, doctrine, or assumed truth. A set of principles form the basic foundation for a specific set of guidelines. A good example of general principles are the seven principles of the OECD Guidelines for the Security of Information Systems and Networks (awareness, responsibility, response, risk assessment, security design and implementation, security management, and reassessment principles). Principles, then, are fundamental beliefs that set the course for the rest of the thinking on the subject at hand. Principles can be combined with a semi-detailed set of controls which flow from them, such as the Generally Accepted Internet Security Principles.
Many principles will find their way into standards and guidelines and even regulations as they serve as general behavior directives that drive standards discussions in the first place. One example of a principle directly creating standards are the Generally Accepted Accounting Principles found within the world of finance which have spawned the SAS 91 accounting standard.
Principles are not enforceable by law. Failure to follow principles may result in actions that are not within keeping of the rule of law or proper conduct.
International standards and control models
We love the origination of the term standard. Originally a standard was a conspicuous object (a tall pole with a banner, flag, or symbol on top) that was used to mark a rallying point in battle. Today, a standard is a criterion, a means of determining what rules, principles, and measures established by an authority should apply to a given situation in order to improve efficiency and compatibility. Control models are very much the same thing but tend to focus more specifically on certain aspects of implementation. In contrast to the original definition, a standard today comes into existence because people rally around it rather than the other way around. International standards and control models are consensus models that are generally accepted by the user community (or at least by the community creating the standard), such as the Control Objectives for Information Technology created by Information Systems Audit and Control Association (a control model) or the International Organization for Standardization's (ISO) various standards such as their ISO 27001:2005 Information Security Management System.
Formal international standards begin as draft documents which are then published as a Request for Comments (RFC) document. As these RFCs mature through the editing process, they become proposed standards, draft standards, and ultimately the final published standard.
Does your organization have to follow any given standard? Not if the standard's author isn't a regulator or a body with contractual authority over you - meaning that they can't force your organization to use their standard under threat of legal action or penalty. Some might think defacto standards must be followed, but that isn't true.
In the world of regulatory compliance for information services, the CobiT audit standard comes pretty close to being the defacto standard. We've seen presentations in which the speaker mistakenly told the audience that this or that regulation called for the use of CobiT as the measuring stick against which they must judge whether they were following the regulation. That just isn't so (though see our section "A note about Safe Harbors" that follows). There isn't one regulation that mandates the use of CobiT. However, the Sarbanes-Oxley Act did create the Public Company Accounting Oversight Board which created and mandates the use of its own auditing standards. The Payment Card Industry Association also mandates the use of its PCI-DSS standard as the audit standard that must be followed when proving that you've met their guidelines. Of course regulators are certainly free to require the use of a particular standard, but that hasn't happened yet and we think it unlikely to happen any time soon - the government tends to avoid ceding its authority to non-government groups and will, instead, plagiarize the standard and incorporate it directly into the text of the regulation.
Standards are not enforceable by law. However, failure to follow standards may result in actions contrary to regulations which are enforceable by law.
Guidelines
A great example of a guideline is The Business Continuity Institute's Business Continuity Management Good Practice Guidelines. This guideline doesn't attempt to provide every answer for business continuity planning. However, it prioritizes the steps that should be followed when creating, developing, and testing the plan.
The hallmark of a guideline is that it will have a set of general principles followed by a set of procedures which direct the user through the necessary steps that should be followed with respect to the given topic under consideration.
Guidelines are even less enforceable than standards. However, failure to follow guidelines may lead to certain aspects of a standard or regulation being skipped or missing the mark, which in turn may result in actions contrary to regulations which are enforceable by law.
Best practices
Best practices are leading edge models of methods or actions for others to follow. These are combinations of activities, processes, policies, or procedures that document the best possible way of doing something.
Are they enforceable? Nope. As a matter of fact, many times they aren't even desirable - in their fullest sense, the "best" way to do something is often also the costliest. Too many times we've seen people spending $1,000 to fix a $100 problem by using an industry "best practice." Best practices must always be viewed in context, weighing the cost vs. the benefit, and then adapted to the particular situation in which they may be applied.
Controls
Organizational controls (especially compliance controls) are the activities that comprise and are carried out by policies, standards, procedures, and practices designed to provide reasonable assurance that certain business objectives will be achieved and undesired events will be prevented or detected. These control activities help ensure that management directives are carried out by providing a description of what physical, software, procedural, or people related conditions must be met or be in existence in order to satisfy a core requirement.
Following properly structured and validated organizational controls is the essential prerequisite to compliance, and failure to follow controls will directly lead to whatever fines or penalties the regulatory body can mete out.
Organizational policies
A policy is a definitive plan or method of action to guide decisions and actions. Policies should be selected from the various possible alternatives in the light of organizational conditions and the impact that they will have. Policies are meant to limit individual discretion to make decisions about which choices and actions (or behaviors) can be taken regarding the topic in question. Because of this, a policy's intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives, and strategic plans established by the organization's management teams. In addition to policy content, well structured policies describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.
In practice, an organizational policy is a formal document describing the organization's position on a particular aspect of compliance with regulations, standards, and guidelines. Therefore, it acts as an official statement of a position, plan, or course of action established by an identified sponsoring authority, which is designed to influence, to provide direction, and to determine decisions and actions with regard to a specific topic. Organizational standards, procedures, and guidelines flow from policies. Policies come in two basic forms; high-level policy statements and detailed policies.
Many times the high-level policy statements will have direct links to organizational standards and procedures, such as an organizational policy for the destruction of electronic media (tapes, drives, etc.) that would then point to the organizational degaussing standard and associated step-by-step procedures for more explicit information.
Detailed policies provide more in-depth information such as purpose, authority, and detailed definitions of sub-topics. Detailed policies often have direct links to individual procedures for follow-through methods. A good example of a policy-procedure pairing is an organizational records retention policy that details various definitions of record types and then links each type to the procedures that need to be followed to carry out that specific portion of the policy.
Policies, because they are mandatory within the organization, are enforced by the organization under the auspices of the Human Resources and/or Legal departments and failure to comply with a policy is generally punishable by disciplinary action that could include suspension or even termination to the extent permitted by law.
Organizational standards
Standards are definitional and clarifying in nature and established either to further understanding and interaction or to acknowledge observed (or desired norms) of exhibited characteristics or behavior. Organizational standards are used to define the commonality of parts and processes. A standard can be:
1. An object or measure of comparison that defines or represents the magnitude of a unit.
2. A characterization that establishes allowable tolerances or constraints for categories of items and parameter settings.
3. A degree or level of required excellence or attainment.
Thus, organizational standards may specify minimum performance levels, describe best practices within the company, or serve as the list of controls (or their parameters) that the organization must follow in order to attain compliance within a given area. In general computing terms, a standard is a set of detailed technical guidelines used as a means of establishing uniformity in an area of hardware or software development.
Standards can be put in place to support a policy, a process, or as a response to an operational need. Like policies, well structured standards will include a description of the manner in which noncompliance will be detected.
Because standards directly support organizational policies, they should be enforced with the same level of authority as the organizational policy they clarify.
Organizational procedures
A procedure is a step-by-step description of tasks required to support and carry out organizational policies. Therefore, a procedure can be thought of as an extension of a policy that articulates the process that is to be used to accomplish a control.
More formally, procedures are the step-by-step documentation of the course of action to be taken to perform a given task as a series of steps, followed in a definite regular order, ensuring the consistent and repetitive approach to accomplish control activities.
Because procedures directly support organizational policies, they should be enforced with the same level of authority as the organizational policy they support.
A note about "Safe Harbors"
Nothing muddies the waters better than a good "safe harbor." While a safe harbor is intended to make laws and regulations easier to follow, oftentimes the safe harbor is co-opted by consultants, speakers, and other well-meaning (or not so well-meaning) folks to support their position that a particular standard, guideline, procedure, or control is required under the law and that failure to adopt that particular standard, guideline, procedure, or control will subject the organization to legal action. Nothing could be further from the truth.
A safe harbor in a law or regulation is a shortcut used by the regulators to make it easier for people to determine whether they are in compliance with the law without requiring an in-depth analysis of each particular case. Thus, the safe harbor provides that if you take the steps required to be within the safe harbor, then you will (more or less) automatically be considered to be in compliance with that particular aspect of the law or regulation. However, the converse is not true - if you do not fall within the safe harbor, that does not necessarily mean that you are not in compliance with the law. What it does mean is that you will have to show that the steps you chose to take are also in compliance with the law.
Let's use our previously mentioned CobiT standard as an illustration. Supposed some regulator enacted a regulation requiring that certain types of organizations conduct annual audits of their information services systems that adhere to auditing standards that are reasonable and customary in the industry. Suppose further that our helpful regulator adds a statement along the lines of "The CobiT audit standards are reasonable and customary standards in the industry." This safe harbor offers organizations the opportunity to reduce compliance risk by adopting the CobiT audit standards. However, there could be many reasons why the CobiT standards are inappropriate for the particular organization - cost, complexity, etc., may simply not warrant the use of that standard. Is the organization bound to use CobiT anyway? (If you've read this far, you probably already know the answer.) The answer, of course, is no - the organization is free to use whatever auditing standard it chooses provided it meets the two-prong test of "reasonable" and "customary in the industry." However, if the organization chooses to use a standard other than CobiT and the regulator doesn't like it, the organization may have an uphill battle to convince the regulator (and, perhaps ultimately, the court) that the chosen standard is, in fact, reasonable and customary in the industry.
Safe harbors tend to be very conservative and avoid gray areas. If a safe harbor is available, it's always good to know - even if you choose not to follow it, it can provide valuable guidance and insight into the regulator's mindset. However, the needs of the organization may dictate that it leave the safe harbor and enter riskier waters.