Compliance - The basics of cutting through the noise, what do we actually have to comply with?
Statutes
A statue is an act of federal, state, Parliament, or provincial legislation which declares the law pertaining to a certain subject (e.g. the Income Tax Act, The Canada Corporations Act, the Sarbanes-Oxley Act of 2002). Statutory law is legislatively created law. Administrative agencies adopt statutes as regulations and lesser bodies adopt them as ordinances.
Regulations
To regulate is to bring under the force of law or a governing authority. Everyone in his or her own country falls within the realm of their national, regional, and local laws. Hence, traditional regulators are those within the levels of government just mentioned. When governmental agencies create their acts, they are codifying legal documents that resulted from deliberations of their legislative bodies. Often, however, the acts passed by those legislative bodies establish broad principles rather than detailed prescriptions for the behavior of people and companies and delegate to the regulators responsibility for filling in the details and gaps. The regulators are empowered to interpret how the laws are to be implemented and to establish rules for following those laws. Those rules are then documented as regulations, such as the Code of Federal Regulations that we have in the United States. These acts and regulations, therefore, must be followed under penalty of law.
Directives
Directives can be legislative acts, such as those of the European Union, or organizational directives, such as those issued by the US Whitehouse's Office of Management and Budget (OMB) which require those under the issuer's purview to achieve a particular result without dictating the means of achieving the result. Directives normally leave those that follow them with a certain amount of leeway as to the exact rules to be adopted.
Contractual and self-regulatory structures
There is much confusion between "regulations" promulgated by government regulators as discussed above and the rules, standards and, yes, "regulations" promulgated by other so-called regulatory bodies and other organizations that can and do emerge to reign in our actions. Variously known as "self-regulatory bodies," "standards bodies," or by similar names, these organizations are not part of the government and do not have the force of law behind their requirements, but failure to comply with those requirements may well disqualify an entity from participating in certain businesses. The promulgators of these rules may be industry-based organizations that band together to address a concern that is common to industry members. For example, the credit card companies (Visa, MasterCard, American Express, etc.) have banded together to create the Payment Card Industry Security Standard. They may also be self-appointed watchdog organizations that have gained sufficient acceptance, prominence and/or moral authority over time that people turn to them as authorities in the field. For example, the ability to display the BBBOnline and TRUSTe seals in online commerce has achieved this type of prominence that makes it worthwhile to comply with those standards. Certain membership based organizations promote similar types of rules as a condition of membership. The unifying principle is that they all have something you want and you're willing to contractually commit to play by their rules to get it.
We'll get to the definition of a standard in a moment, but just because this one is called a standard (it can't be called a law, Act, or regulation because it does not come from the government), doesn't mean that it can be ignored without consequences. Compliance with these types of contractual standards are, legally speaking, optional. If a company is not interested in accepting credit cards as a form of payment, it is not obligated to comply with the PCI standards. However, anyone wanting to accept credit cards is required to contractually agree to comply with the PCI standard. Similarly, anyone wanting to display the BBBOnline seal must contractually agree to follow certain guidelines and processes. Failure to comply with these obligations creates a breach of contract and, depending on the contract terms, may result in a variety of fines and, potentially, the loss of valuable contractual rights - losing the ability to accept credit cards in the case of the PCI standards could have grave consequences to just about any merchant. Losing the right to use the BBBOnline or TRUSTe seals may not have as severe an effect on a merchant as being unable to accept credit cards, but it could drive customers away to competitor sites - particularly if the contractual breach is widely publicized. The payment card industry has already fined a great many organizations and affected the closure of at least one organization that we know of for not properly following their standard. Because the payment card industry can exercise authority over its user body, and that user body is so large, in this instance they can be compared to regulators even though they haven't been given the statutory mandate of a regulator. However, there is one big difference between the payment card industry and true regulators - while the payment card industry may be able put you out of business, they can't put you in jail.
Principles
A principle is a widely accepted rule, norm, doctrine, or assumed truth. A set of principles form the basic foundation for a specific set of guidelines. A good example of general principles are: the seven principles of the OECD Guidelines for the Security of Information Systems and Networks, (awareness, responsibility, response, risk assessment, security design and implementation, security management, and reassessment principles). Principles, then, are fundamental beliefs that set the course for the rest of the thinking on the subject at hand. Principles can be combined with a semi-detailed set of rules which flow from them, such as the Generally Accepted Internet Security Principles.
Many principles will find their way into standards and guidelines and even regulations as they serve as general behavior directives that drive standards discussions in the first place. One example of a principle directly creating standards are the Generally Accepted Accounting Principles found within the world of finance which have spawned the SAS 91 accounting standard.
International standards and control models
We love the origination of the term standard. Originally a standard was a conspicuous object (a tall pole with a banner, flag, or symbol on top) that was used to mark a rallying point in battle. Today, a standard is a criterion, a means of determining what rules, principles, and measures established by an authority should apply to a given situation in order to improve efficiency. Control models are very much the same thing but tend to focus more specifically on certain aspects of implementation. In contrast to the original definition, a standard today comes into existence because people rally around it rather than the other way around. International standards and control models are consensus models that are generally accepted by the user community (or at least by the community creating the standard), such as the Control Objectives for Information Technology created by Information Systems Audit and Control Association (a control model) or the International Organization for Standardization's (ISO) various standards such as their ISO 27001-2005 Information Security Management Standard.
Formal international standards begin as draft documents which are then published as a Request for Comments (RFC) document. As these RFCs mature through the editing process, they become proposed standards, draft standards, and ultimately the final published standard.
Does your organization have to follow any given standard? Not if the standard's author isn't a regulator or a body with contractual authority over you - meaning that they can't force your organization to use their standard under threat of legal action or penalty. Some might think defacto standards must be followed, but that isn't true.
In the world of regulatory compliance for information services, the CobiT audit standard comes pretty close to being the defacto standard. We've seen presentations in which the speaker mistakenly told the audience that this or that regulation called for the use of CobiT as the measuring stick against which they must judge whether they were following the regulation. That just isn't so. There isn't one regulation that mandates the use of CobiT. However, the Sarbanes-Oxley Act did create the Public Company Accounting Oversight Board which created and mandates the use of its own auditing standards. The Payment Card Industry Association also mandates the use of its PCI-DSS standard as the audit standard that must be followed when proving that you've met their guidelines.
Guidelines
A great example of a guideline is The Business Continuity Institute's Business Continuity Management Good Practice Guidelines. This guideline doesn't attempt to provide every answer for business continuity planning. However, it prioritizes the steps that should be followed when creating, developing, and testing the plan.
The hallmark of a guideline is that it will have a set of general principles followed by a set of procedures that guide the user through the necessary steps that should be followed with respect to the given topic under consideration.
A Note About "Safe Harbors"
Nothing muddies the waters better than a good "safe harbor." While a safe harbor is intended to make laws and regulations easier to follow, oftentimes the safe harbor is co-opted by consultants, speakers, and other well-meaning (or not so well-meaning) folks to support their position that a particular standard, guideline, procedure or control is required under the law and that failure to adopt that particular standard, guideline, procedure or control will subject the organization to legal action. Nothing could be further from the truth.
A safe harbor in a law or regulation is a shortcut used by the regulators to ensure that the majority of people are in compliance with the law without requiring an in-depth analysis of each particular case. Thus, the safe harbor provides that if you take the steps required to be within the safe harbor, then you will (more or less) automatically be in compliance with that particular aspect of the law or regulation. However, the converse is not true - if you do not fall within the safe harbor, that does not necessarily mean that you are not in compliance with the law. What it does mean is that you will have to show that the steps you chose to take are also in compliance with the law.
Let's use our previously mentioned CobiT standard as an illustration. Supposed some regulator enacted a regulation requiring that certain types of organizations conduct annual audits of their information services systems that adhere to auditing standards that are reasonable and customary in the industry. Suppose further that our helpful regulators add a statement along the lines of "The CobiT audit standards are reasonable and customary standards in the industry." This safe harbor offers organizations the opportunity to reduce compliance risk by adopting the CobiT audit standards. However, there are many reasons why the CobiT standards are inappropriate for the particular organization - cost, complexity, etc., may simply not warrant the use of that standard. Is the organization bound to use CobiT anyway? (If you've read this far, you probably already know the answer.) The answer, of course, is no - the organization is free to use whatever auditing standard it chooses provided it meets the two-prong test of "reasonable" and "customary in the industry." However, if the organization chooses to use a standard other than CobiT and the regulator doesn't like it, the organization has the uphill battle to convince the regulator (and, perhaps ultimately, the court) that the chosen standard is reasonable and customary. Safe harbors tend to be very conservative and avoid gray areas.
Best practices
Best practices are leading edge, models of methods or actions for others to follow. These are combinations of activities, processes, policies, or procedures that document the best possible way of doing something.
Organizationally documented controls
Organizationally documented controls (especially compliance controls) are the activities that comprise and are carried out by policies, standards, procedures, and practices designed to provide reasonable assurance that certain business objectives will be achieved and undesired events will be prevented or detected. These control activities help ensure that management directives are carried out by providing a description of what physical, software, procedural, or people related conditions must be met or be in existence in order to satisfy a core requirement.
Organizational policies
A policy is a definitive plan or method of action to guide decisions and actions. Policies are always selected from the various possible alternatives in the light of organizational conditions and the impact that they will have. Policies are meant to limit individual discretion to make decisions about which choices and actions (or behaviors) can be taken regarding the topic in question. Because of this, a policy's intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives, and strategic plans established by the enterprise's management teams. In addition to policy content, well structured policies describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.
In practice, an organizational policy is a formal document describing the organization's position on a particular aspect of compliance with regulations, standards, and guidelines. Therefore, it acts as an official statement of a position, plan, or course of action established by an identified sponsoring authority, which is designed to influence, to provide direction, and to determine decisions and actions with regard to a specific topic. Organizational standards, procedures, and guidelines flow from policies. Policies come in two basic forms; high-level policy statements and detailed policies.
Many times the high-level policy statements will have direct links to organizational standards, such as an organizational policy for the destruction of electronic media (tapes, drives, etc.) that would then point to the organizational degaussing standard for more explicit information.
Detailed policies provide more in-depth information such as purpose, authority, and detailed definitions of sub-topics. Detailed policies often have direct links to individual procedures for follow-through methods. A good example of a policy-procedure pairing is an organizational records retention policy that details various definitions of record types and then links each type to the procedures that need to be followed to carry out that specific portion of the policy.
Organizational standards
Standards are definitional in nature and established either to further understanding and interaction or to acknowledge observed (or desired norms) of exhibited characteristics or behavior. Organizational standards are used to define the commonality of parts and processes. A standard can be:
1. An object or measure of comparison that defines or represents the magnitude of a unit
2. A characterization that establishes allowable tolerances or constraints for categories of items
3. A degree or level of required excellence or attainment
Thus, organizational standards may specify minimum performance levels, describe best practices within the company, or serve as the list of controls that the organization must follow in order to attain compliance within a given area. In general computing terms, a standard is a set of detailed technical guidelines used as a means of establishing uniformity in an area of hardware or software development.
Standards can be put in place to support a policy or a process or as a response to an operational need. Like policies, well structured standards will include a description of the manner in which noncompliance will be detected. Records management and recordkeeping standards are authoritative standards to which an organization is subject or which it chooses to adopt. Standards provide benchmarks for measuring performance and describe best practices in any or all aspects of recordkeeping.
Organizational procedures
A procedure is a step-by-step description of tasks required to support and carry out organizational policies or standards. Therefore, a procedure can be thought of as an extension of a policy that articulates the process that is to be used to accomplish a goal.
Procedures are the step-by-step documented form of controls or the course of action to be taken to perform a given task as a series of steps followed in a definite regular order ensuring the consistent and repetitive approach to actions.
