Cybersecurity : What differentiates Laws, Standards, Policy and Procedures?

The above snippet would have already given an insight into what differentiates them and how closely linked they are. So it will not be possible for any of the terms to function without the other properly. They give one another a sense of purpose and direction, but mixing them up is so easy.

With that out of the way, Laws are rules which have been written and approved to guild the activities of people in a country. Different country has their own laws which apply only to their sovereign nation. Most countries have specific written laws which govern the privacy, protection and security of data belonging to the public, while some countries have a shared one. An example is the General Data Protection Regulation which governs the affairs of 27 European Countries. Of course, in Africa, we all have different regulations per country, and an example is the Nigeria Data Protection Regulation (NDPR).

All organisations in that country must abide by this law and strictly followed. Some countries go as far as placing hefty sanctions on firms which violate this regulation. Also, regular monitoring for compliance has been conducted to ensure this law is strictly followed. This monitoring could come in the form of auditing or unannounced visitations. This law supersedes all other security measures and requirements which might have been outlined on a standard.

source

This brings us to what a Standard is. A standard is an outlined list of baseline security requirements needed to ensure that security is hardened in an organisation. This standard incorporates the requirement of the law to ensure that the requirements stated do not contradict the country's laws and regulations. These standards are usually created and published by private international bodies and provide much more detailed security insights which a firm could use to enhance its security. ISO, NIST, and PCI are some standards owned by different bodies to provide a clearer direction for achieving the security of assets.

While Firms might not have control over laws and Standards, they are fully responsible for creating, implementing and communicating policies to all relevant stakeholders. These policies are usually created to meet the requirements set out in a standard and usually provide a high outline of what is expected from staff and third parties. This Policy gives a snapshot of what is required of staff and relevant stakeholders to meet the standard requirement. This policy needs to be approved by the management of a firm, and adequate communication needs to be done so that all relevant stakeholders will be aware. Most policies created are mandatory towards the fulfilment and implementation of a standard requirement.

source

With the policy mandated by the standard, Procedure just gives an in-depth, step-by-step guideline to meet an organisation's policy. This procedure mostly contains the process, guidelines, and registers which are used to ensure that security is embedded in the day to day running of a business. The procedure is low level while the policy is high level. While this security policy might have provided a rule that must be followed, the procedure provides the detailed step to ensure that security is achieved in line with what is stated in a policy and standard.

Thats is just a summarised version of these different terms which always come up during a security conversation, and it is important to understand them to navigate these conversations easily.

Thanks for the comments and suggestions in advance.

Posted Using LeoFinance ^Beta