A Hierarchy for Policy References

admin May 19, 2019
Connect--But, be very careful

How to order your references for correctness

This is a continuation of blog posts to help those developing, writing, and editing cybersecurity policies and procedures for your business or agency. While few security assessors will “ping” you for putting your references in the wrong order, why not do it correctly early and upfront. This hierarchy is based upon the United States (US) Constitution, but our foreign visitors can use this as a roadmap for their cyber-artifacts.

1. THE US CONSTITUTION

This is aligned with the sovereign nature of every countries’ basis for the creation of their respective government. This document describes the form and branches of government, democratic, and in many cases for even those totalitarian nation-states such as North Korea. This is not typically required in a cybersecurity policy or procedure documents.

2. INTERNATIONAL LAWS

These are bilateral or multi-lateral agreements between nations and typically ratified by each country. These are not typically found in the reference section.

3. LEGISLATION

The laws of the land that are drafted, ratified by an elected body of legislators, and typically signed by the executive of the nation. The rules for creating laws are found in the base creation document such as the US Constitution. This will most likely be a starting point for any cyber-policy. Examples would include the Clinger-Cohen or Presidential Powers Acts.

4. COMMON/CASE LAW

These are laws that arise from the courts during the course of their interpretation of a law. They are the result of the outcome from a case that establishes legal precedence, and may be used by the courts to make future determinations of cases. A recent example is the Markus v. Aerojet Rocketdyne Holdings Inc. case in 2019–expect his case to be foundational to future litigation against federal contractors who do not meet federal cybersecurity standards.

CYBERLAW: May 8, 2019 — A Hallmark Day in Cybersecurity

5. REGULATIONS

These are created by the executive branch to better execute the laws of the legislature. An example is the Federal Acquisition Regulation (FAR) that is used throughout the federal government to define federal contracting rules–what is allowed and what is not allowed. FAR clause 52.204-21 describes contractor requirements for securing and protecting Controlled Unclassified Information (CUI). This reference is found in contracts and should be added in policy documents for emphasis as appropriate.

6. POLICY

Policy is the broad description of how to conform with a law or regulation. An example would be DOD policies that, for example, require Two-factor authentication or encryption of Data at Rest (DAR)/Data in Motion (DIM). Policy may come from the executive branch or its subordinate agencies such as Departments of Energy, Education, Defense, etc. When drafting your target policy document, it is not uncommon to reference other existing supporting policies.

7. PROCEDURES, GUIDELINES, INSTRUCTIONS

This is a description of how to implement an action. This may take the form of how to conduct a security assessment or how to notify government Incident Response personnel when an event BECOMES an incident. These may be from a higher headquarters such as a DOD Instruction or DODI, or a local Standard Operating Procedure (SOP) on how to conduct patch management. These will be included if appropriate to the policy document being formulated.

8. CODES OF CONDUCT/BEST PRACTICES

“Best Practice” Should be a Process NOT a Catch-phrase

Codes of conduct describe individual standards required. This will include legal, moral, and ethical obligations of the individual and/or the profession. For example, CISSP requires that these individuals adhere to the protection of society.

“The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”


CISSP certification: ISC² Code of Ethics

Best practices are general “rules of thumb” that have been demonstrated to be valuable and required. They are seen as how to ensure safety and security. A common cybersecurity best practice is a need for Two-factor authentication. It is not mandatory, but is considered essential from within the cybersecurity profession.

Tags: , , , ,

More Stories

Cyber Threat Hunting (CTH) in an Age of Escalating Cyber Threats

Dr. Mark Russo July 4, 2023

SPOT: Security Technical Implementation Guides (STIGs): Why are They Neglected by System Developers?

Dr. Mark Russo December 31, 2022

The Importance of Metrics in Cybersecurity

Dr. Mark Russo December 30, 2022
art artistic blank book bindings

CRITIQUE: The Problems with the Scientific-based Risk Metrics Methodology

Dr. Mark Russo August 16, 2020

CO-ACT: An Ethics Model for Data Science Privacy

Dr. Mark Russo June 24, 2020

SPOT: Neural Networks to Improve Cyber-Intrusion Detection

admin January 21, 2020

You may have missed

Cyber Threat Hunting (CTH) in an Age of Escalating Cyber Threats

Dr. Mark Russo July 4, 2023

Should You Hire a Virtual CISO?

admin February 1, 2023

TOP 5: The Main Implications of ML to Help Deter Cyber-threats

Dr. Mark Russo January 27, 2023

CYBER DECEPTION: Impact to Cybersecurity and the Application of Machine Learning Tools

Donna Columbus January 15, 2023
%d bloggers like this: