SPOT: Policy v. Procedure
There is a Difference…
POLICY: Broad and informative high-level description of principles focused on a particular topic area.
For example, Cybersecurity Policy: “All Federal Agencies will comply with NIST 800-53 revision 4 No Later Than 1 January 20XX.”
PROCEDURE: A description of steps required to follow, execute, and complete a specified process.
For example, Risk Assessment Procedure. (See below)
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.