A Hierarchy for Policy References
How to order your references for correctness
This is a continuation of blog posts to help those developing, writing, and editing cybersecurity policies and procedures for your business or agency. While few security assessors will “ping” you for putting your references in the wrong order, why not do it correctly early and upfront. This hierarchy is based upon the United States (US) Constitution, but our foreign visitors can use this as a roadmap for their cyber-artifacts.
1. THE US CONSTITUTION
This is aligned with the sovereign nature of every countries’ basis for the creation of their respective government. This document describes the form and branches of government, democratic, and in many cases for even those totalitarian nation-states such as North Korea. This is not typically required in a cybersecurity policy or procedure documents.
2. INTERNATIONAL LAWS
These are bilateral or multi-lateral agreements between nations and typically ratified by each country. These are not typically found in the reference section.
3. LEGISLATION
The laws of the land that are drafted, ratified by an elected body of legislators, and typically signed by the executive of the nation. The rules for creating laws are found in the base creation document such as the US Constitution. This will most likely be a starting point for any cyber-policy. Examples would include the Clinger-Cohen or Presidential Powers Acts.
4. COMMON/CASE LAW
These are laws that arise from the courts during the course of their interpretation of a law. They are the result of the outcome from a case that establishes legal precedence, and may be used by the courts to make future determinations of cases. A recent example is the Markus v. Aerojet Rocketdyne Holdings Inc. case in 2019–expect his case to be foundational to future litigation against federal contractors who do not meet federal cybersecurity standards.
5. REGULATIONS
These are created by the executive branch to better execute the laws of the legislature. An example is the Federal Acquisition Regulation (FAR) that is used throughout the federal government to define federal contracting rules–what is allowed and what is not allowed. FAR clause 52.204-21 describes contractor requirements for securing and protecting Controlled Unclassified Information (CUI). This reference is found in contracts and should be added in policy documents for emphasis as appropriate.
6. POLICY
Policy is the broad description of how to conform with a law or regulation. An example would be DOD policies that, for example, require Two-factor authentication or encryption of Data at Rest (DAR)/Data in Motion (DIM). Policy may come from the executive branch or its subordinate agencies such as Departments of Energy, Education, Defense, etc. When drafting your target policy document, it is not uncommon to reference other existing supporting policies.
7. PROCEDURES, GUIDELINES, INSTRUCTIONS
This is a description of how to implement an action. This may take the form of how to conduct a security assessment or how to notify government Incident Response personnel when an event BECOMES an incident. These may be from a higher headquarters such as a DOD Instruction or DODI, or a local Standard Operating Procedure (SOP) on how to conduct patch management. These will be included if appropriate to the policy document being formulated.
8. CODES OF CONDUCT/BEST PRACTICES
Codes of conduct describe individual standards required. This will include legal, moral, and ethical obligations of the individual and/or the profession. For example, CISSP requires that these individuals adhere to the protection of society.
“The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”
CISSP certification: ISC² Code of Ethics
Best practices are general “rules of thumb” that have been demonstrated to be valuable and required. They are seen as how to ensure safety and security. A common cybersecurity best practice is a need for Two-factor authentication. It is not mandatory, but is considered essential from within the cybersecurity profession.