http://www.unifiedcompliance.

com/
IT Unified Compliance Framework
Organizational policies
A policy is a definitive plan or method of action to guide decisions and actions.
Policies should be selected from the various possible alternatives in the light of organizational conditions and the impact that
they will have.
Policies are meant to limit individual discretion to make decisions about which choices and actions (or behaviors) can be taken
regarding the topic in question. Because of this, a policy's intended purpose is to influence and guide both present and future
decision making to be in line with the philosophy, objectives, and strategic plans established by the organization's
management teams. In addition to policy content, well structured policies describe the consequences of failing to comply with
the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and
measured.
In practice, an organizational policy is a formal document describing the organization's position on a particular aspect of
compliance with regulations, standards, and guidelines. Therefore, it acts as an official statement of a position, plan, or course
of action established by an identified sponsoring authority, which is designed to influence, to provide direction, and to
determine decisions and actions with regard to a specific topic. Organizational standards, procedures, and guidelines flow
from policies.
Policies come in two basic forms; high-level policy statements and detailed policies.
Many times the high-level policy statements will have direct links to organizational standards and procedures, such as an
organizational policy for the destruction of electronic media (tapes, drives, etc.) that would then point to the organizational
degaussing standard and associated step-by-step procedures for more explicit information.
Detailed policies provide more in-depth information such as purpose, authority, and detailed definitions of sub-topics. Detailed
policies often have direct links to individual procedures for follow-through methods. A good example of a policy-procedure
pairing is an organizational records retention policy that details various definitions of record types and then links each type to
the procedures that need to be followed to carry out that specific portion of the policy.
Policies, because they are mandatory within the organization, are enforced by the organization under the auspices of the
Human Resources and/or Legal departments and failure to comply with a policy is generally punishable by disciplinary action
that could include suspension or even termination to the extent permitted by law.

Organizational standards
Standards are definitional and clarifying in nature and established either to further understanding and interaction or to
acknowledge observed (or desired norms) of exhibited characteristics or behavior. Organizational standards are used to define
the commonality of parts and processes. A standard can be:
1. An object or measure of comparison that defines or represents the magnitude of a unit.
2. A characterization that establishes allowable tolerances or constraints for categories of items and parameter
settings.
3. A degree or level of required excellence or attainment.
Thus, organizational standards may specify minimum performance levels, describe best practices within the company, or
serve as the list of controls (or their parameters) that the organization must follow in order to attain compliance within a given
area. In general computing terms, a standard is a set of detailed technical guidelines used as a means of establishing
uniformity in an area of hardware or software development.
Standards can be put in place to support a policy, a process, or as a response to an operational need. Like policies, well
structured standards will include a description of the manner in which noncompliance will be detected.
Because standards directly support organizational policies, they should be enforced with the same level of authority as the
organizational policy they clarify.

Document1

a procedure can be thought of as an extension of a policy that articulates the process that is to be used to accomplish a control. Therefore. ensuring the consistent and repetitive approach to accomplish control activities. procedures are the step-by-step documentation of the course of action to be taken to perform a given task as a series of steps. followed in a definite regular order. More formally. Because procedures directly support organizational policies.Organizational procedures A procedure is a step-by-step description of tasks required to support and carry out organizational policies. they should be enforced with the same level of authority as the organizational policy they support. ____________________ Document1 .

Policy is approved by the Vice-Chancellor (=UC President). University policies are subject to a rigorous review process. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices. standards. Standards define minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. including:  all Faculties. procedures and guidelines for the University. Centres and Institutes and  all University Business Enterprises.which must be approved by Council  Council approval is required for legal reasons or Document1 . Policy is approved by Council where:  a 'statement of intent' is embodied in an Ordinance. Application University-wide application. They provide a basis for verifying compliance through audits and assessments. standards. Procedures are step-by-step instructions for accomplishing a task.utas. that drive decision making within the University. Schools. Rule or By-Law. equivalent to organizational law.---------University of Tasmania http://www. Procedures may also play an important role in maintaining compliance with regulations. Info Sec is also responsible for coordinating various regulatory compliance efforts. social security numbers) Arizona Revised Statutes Section 44-7501 (Notification of breach of security system) Arizona Board of Regents Policy 9-201 (General Policy) Arizona Board of Regents Policy 9-202 (University Responsibilities) Payment Card Industry Data Security Standard Computer Security Act of 1987 Homeland Security Act The Children's Internet Protection Act of 2000 The No Electronic Theft (NET) Act of 1997 ----------------------------------------------------------------------------------------------------------------------------------. procedures and guidelines published by Info Sec. Legal Sources Federal Policy Health Insurance Portability and Accountability Act 45 CFR Parts 160.edu.University of Arizona Policy and Guidance The Information Security Office is responsible for coordinating the development and dissemination of information security policies. Guidelines are general recommendations or instructions that provide a framework for achieving compliance with policies. See below for links to access policies. Approval Authority In almost all cases. and 164 (HIPAA) Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA) Computer Fraud and Abuse Act of 1986 USA PATRIOT Act State & Local Policy Arizona Revised Statutes Section 15-1823 (Identification numbers. Policies are high-level statements. 162. In exceptional circumstances. Procedures published by Info Sec are designed to reinforce University policies.au/governance-legal/policy/utas-policy-framework What is a Policy? Definition A ‘statement of intent’ defining the position of the University. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.

Executive Director Planning and Development.g Investment Policy) Policy content and implementation are reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Section or Work Unit. which includes:   Approval Authority    the Vice-Chancellor Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost. School. Institute or Division. Thereafter. Thereafter. which includes:   Approval Authority    the Vice-Chancellor Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost. Chair of Academic Senate and Deans of Faculties Heads of Schools and Centres Heads of Administrative Sections/Work Units and Directors/Principals of University Institutes. Review Timeframes Procedure content and use is reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Chair of Academic Senate and Deans of Faculties Heads of Schools and Centres Heads of Administrative Sections/Work Units and Directors/Principals of University Institutes. the Policy deals with a particularly far-reaching issue appropriately approved by Council (e. Governance and Legal Major amendment(s) to Guidelines are approved by the initial Approval Authority (Policy Maker) Document1 . Pro Vice-Chancellor (Research). Pro ViceChancellor (Students and Education). Centre. Executive Director Planning and Development. School. Review Timeframes Guidelines content and use is reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Centre. Pro ViceChancellor (Students and Education). Executive Director Finance and Administration. Pro Vice-Chancellor (Research). reviews are undertaken every three years (Review 2 onwards) Review Approval Authority Minor amendment(s) to Procedures are approved by the Director. Governance and Legal Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy Maker) What is a Guideline? Definition Guide to implementing a Policy and/or Procedure Application University-wide application OR specific to a Faculty. Governance and Legal Review Approval Major amendment(s) to Policy are approved by the initial Approval Authority (ViceAuthority Chancellor or Council) What is a Procedure? Definition Step-by-step instructions for implementing a Policy Application University-wide application OR specific to a Faculty. Section or Work Unit. Approved by a Policy Custodian. reviews are undertaken every three years (Review 2 onwards) Review Timeframes Minor amendment(s) to Policy are approved by the Director. reviews are undertaken every three years (Review 2 onwards) Review Approval Authority Minor amendment(s) to Guidelines are approved by the Director. Executive Director Finance and Administration. Approved by a Policy Custodian. Thereafter. Institute or Division.

Pro Vice-Chancellor (Research). Review Timeframes Standards content and use is reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Chair of Academic Senate and Deans of Faculties Heads of Schools and Centres Heads of Administrative Sections/Work Units and Directors/Principals of University Institutes. Centre. Governance and Legal Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy Maker) Document1 . Executive Director Finance and Administration. Approved by a Policy Custodian. Institute or Division. Section or Work Unit. which includes:   Approval Authority    the Vice-Chancellor Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost. Thereafter. Pro ViceChancellor (Students and Education). reviews are undertaken every three years (Review 2 onwards) Review Approval Authority Minor amendment(s) to Procedures are approved by the Director.What is a Standard? Definition Minimum technical or other specifications for the implementation of a Policy and/or Procedure Application University-wide application OR specific to a Faculty. Executive Director Planning and Development. School.