Governance Elements and Processes

Laws and regulations guide the development of standards, which cultivate policies, which result in procedures.

Procedures are the detailed steps to complete a task that support departmental or organizational policies.

Policies are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.

Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

Regulations are commonly issued in the form of laws, usually from the government (not to be confused with governance) and typically carry financial penalties for noncompliance

Regulations and associated fines and penalties can be imposed by governments at the national, regional or local level

Organizations need to consider the regulations that apply to their business at all levels—national, regional and local—and ensure they are compliant

Standards cover a broad range of issues and ideas and may provide assurance that an organization is operating with policies and procedures that support regulations and are widely accepted best practices.

The International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards

The National Institute of Standards and Technology (NIST) is a United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards.

The Internet Engineering Task Force (IETF) creates standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language.

The Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications, computer engineering and similar disciplines.

The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) is

• A federal law in the United States that requires certain actions be taken to protect health information.

• Many organizations use published frameworks, or standards, to guide the organizational policies that support the compliance effort.

• Many departments or workgroups within the organization implement procedures that detail how they complete day-to-day tasks while remaining compliant.

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly and legally

Provide diligent and competent service to principals

Advance and protect the profession

All security professionals who are certified by ISC2 are required to commit to fully support the Code of Ethics.