« Do small public company need one year extension for SOX compliance?
Cost Avoidance versus Return on Investment, a SOX Security perspective »

What is the difference between Regulations, Legislation, and Guidance

Different types of documentation serve different purposes. As the following list explains, some documentation is internally driven and some is externally driven. To prepare for the interview process for an information security position, you need to understand what types of internal security documentation the organization may have and what external security-related regulations the organization must comply with. Your understanding should include the differences between regulations, policy, procedures, legislation, and guidance, as follows:

Regulations: Regulations are requirements that can come in many forms. They may be industry specific regulations such as the Health Information Portability and Accountability Act (HIPAA), which addresses health care organizations. Regulations may also be wider in scope for example, the Federal Information Security Management Act (FISMA). Regulations are basically the formal requirements that an organization must follow. Regulations can be either internally or externally generated, monitored, and enforced.

Policy: Businesses create specific requirements that their employees and departments must adhere to. These requirements can include policies regarding the use of computers or the company’s logo. The policy is basically a statement of what must be done. Policy is typically internally developed documentation but may be put in place to meet an external requirement, regulation, or legislation.

Procedures: Procedures are generally put in place to show how to meet a policy. They are more detailed than policy statements. Procedures are typically internally developed documentation.

Legislation: Legislation is an external directive that places specific requirements on a particular industry. It must be met in order for the business to be legally compliant. Legislation is put into place by the government. Legislation is typically an external driver, unless, of course, you are part of the government organization creating the legislation.

Guidance: A set of recommendations or suggestions about things that should be considered when implementing security in the organization is referred to as guidance. Guidance is not a requirement but rather a suggestion and can originate internally or externally. For example, guidance might come as recommendations made by your manager or a senior member of your team, written up into an informal checklist or other document. [IT Security Interviews Exposed, Chris Butler 2007]

Popularity: 45% [?]

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • StumbleUpon
  • Digg
  • del.icio.us
  • Technorati
  • Sphinn
  • Facebook
  • Mixx
  • Google
  • blinkbits
  • BlinkList
  • NewsVine

This entry was posted on Tuesday, June 24th, 2008 at 5:58 am and is filed under article, glossary, implementation. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply