http://www.unifiedcompliance.

com/
IT Unified Compliance Framework
Organizational policies
A policy is a definitive plan or method of action to guide decisions and actions.
Policies should be selected from the various possible alternatives in the light of organizational conditions and the impact that
they will have.
Policies are meant to limit individual discretion to make decisions about which choices and actions (or behaviors) can be taken
regarding the topic in question. Because of this, a policy's intended purpose is to influence and guide both present and future
decision making to be in line with the philosophy, objectives, and strategic plans established by the organization's
management teams. In addition to policy content, well structured policies describe the consequences of failing to comply with
the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and
measured.
In practice, an organizational policy is a formal document describing the organization's position on a particular aspect of
compliance with regulations, standards, and guidelines. Therefore, it acts as an official statement of a position, plan, or course
of action established by an identified sponsoring authority, which is designed to influence, to provide direction, and to
determine decisions and actions with regard to a specific topic. Organizational standards, procedures, and guidelines flow
from policies.
Policies come in two basic forms; high-level policy statements and detailed policies.
Many times the high-level policy statements will have direct links to organizational standards and procedures, such as an
organizational policy for the destruction of electronic media (tapes, drives, etc.) that would then point to the organizational
degaussing standard and associated step-by-step procedures for more explicit information.
Detailed policies provide more in-depth information such as purpose, authority, and detailed definitions of sub-topics. Detailed
policies often have direct links to individual procedures for follow-through methods. A good example of a policy-procedure
pairing is an organizational records retention policy that details various definitions of record types and then links each type to
the procedures that need to be followed to carry out that specific portion of the policy.
Policies, because they are mandatory within the organization, are enforced by the organization under the auspices of the
Human Resources and/or Legal departments and failure to comply with a policy is generally punishable by disciplinary action
that could include suspension or even termination to the extent permitted by law.

Organizational standards
Standards are definitional and clarifying in nature and established either to further understanding and interaction or to
acknowledge observed (or desired norms) of exhibited characteristics or behavior. Organizational standards are used to define
the commonality of parts and processes. A standard can be:
1. An object or measure of comparison that defines or represents the magnitude of a unit.
2. A characterization that establishes allowable tolerances or constraints for categories of items and parameter
settings.
3. A degree or level of required excellence or attainment.
Thus, organizational standards may specify minimum performance levels, describe best practices within the company, or
serve as the list of controls (or their parameters) that the organization must follow in order to attain compliance within a given
area. In general computing terms, a standard is a set of detailed technical guidelines used as a means of establishing
uniformity in an area of hardware or software development.
Standards can be put in place to support a policy, a process, or as a response to an operational need. Like policies, well
structured standards will include a description of the manner in which noncompliance will be detected.
Because standards directly support organizational policies, they should be enforced with the same level of authority as the
organizational policy they clarify.

Document1

ensuring the consistent and repetitive approach to accomplish control activities. they should be enforced with the same level of authority as the organizational policy they support. ____________________ Document1 . Therefore. a procedure can be thought of as an extension of a policy that articulates the process that is to be used to accomplish a control. followed in a definite regular order.Organizational procedures A procedure is a step-by-step description of tasks required to support and carry out organizational policies. More formally. procedures are the step-by-step documentation of the course of action to be taken to perform a given task as a series of steps. Because procedures directly support organizational policies.

au/governance-legal/policy/utas-policy-framework What is a Policy? Definition A ‘statement of intent’ defining the position of the University. They provide a basis for verifying compliance through audits and assessments. Procedures published by Info Sec are designed to reinforce University policies. Policies are high-level statements. that drive decision making within the University. In exceptional circumstances.University of Arizona Policy and Guidance The Information Security Office is responsible for coordinating the development and dissemination of information security policies. Centres and Institutes and  all University Business Enterprises.utas. 162. equivalent to organizational law. Legal Sources Federal Policy Health Insurance Portability and Accountability Act 45 CFR Parts 160. Standards define minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. Procedures may also play an important role in maintaining compliance with regulations.edu. procedures and guidelines published by Info Sec. and 164 (HIPAA) Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA) Computer Fraud and Abuse Act of 1986 USA PATRIOT Act State & Local Policy Arizona Revised Statutes Section 15-1823 (Identification numbers. Application University-wide application. procedures and guidelines for the University. Approval Authority In almost all cases. Policy is approved by Council where:  a 'statement of intent' is embodied in an Ordinance. standards.which must be approved by Council  Council approval is required for legal reasons or Document1 . All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements. Guidelines are general recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices. standards. University policies are subject to a rigorous review process. including:  all Faculties. Policy is approved by the Vice-Chancellor (=UC President). Info Sec is also responsible for coordinating various regulatory compliance efforts. Procedures are step-by-step instructions for accomplishing a task.---------University of Tasmania http://www. Schools. social security numbers) Arizona Revised Statutes Section 44-7501 (Notification of breach of security system) Arizona Board of Regents Policy 9-201 (General Policy) Arizona Board of Regents Policy 9-202 (University Responsibilities) Payment Card Industry Data Security Standard Computer Security Act of 1987 Homeland Security Act The Children's Internet Protection Act of 2000 The No Electronic Theft (NET) Act of 1997 ----------------------------------------------------------------------------------------------------------------------------------. See below for links to access policies. Rule or By-Law.

Pro Vice-Chancellor (Research). Pro ViceChancellor (Students and Education). Thereafter. Governance and Legal Major amendment(s) to Guidelines are approved by the initial Approval Authority (Policy Maker) Document1 . Thereafter. Executive Director Planning and Development. Governance and Legal Review Approval Major amendment(s) to Policy are approved by the initial Approval Authority (ViceAuthority Chancellor or Council) What is a Procedure? Definition Step-by-step instructions for implementing a Policy Application University-wide application OR specific to a Faculty. reviews are undertaken every three years (Review 2 onwards) Review Approval Authority Minor amendment(s) to Procedures are approved by the Director. Chair of Academic Senate and Deans of Faculties Heads of Schools and Centres Heads of Administrative Sections/Work Units and Directors/Principals of University Institutes. which includes:   Approval Authority    the Vice-Chancellor Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost. Pro Vice-Chancellor (Research). Governance and Legal Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy Maker) What is a Guideline? Definition Guide to implementing a Policy and/or Procedure Application University-wide application OR specific to a Faculty. which includes:   Approval Authority    the Vice-Chancellor Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost. Executive Director Finance and Administration. Approved by a Policy Custodian. Executive Director Planning and Development. Approved by a Policy Custodian. Section or Work Unit. Institute or Division. reviews are undertaken every three years (Review 2 onwards) Review Approval Authority Minor amendment(s) to Guidelines are approved by the Director. reviews are undertaken every three years (Review 2 onwards) Review Timeframes Minor amendment(s) to Policy are approved by the Director. Review Timeframes Guidelines content and use is reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). School. Centre. the Policy deals with a particularly far-reaching issue appropriately approved by Council (e.g Investment Policy) Policy content and implementation are reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Review Timeframes Procedure content and use is reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Pro ViceChancellor (Students and Education). Thereafter. School. Chair of Academic Senate and Deans of Faculties Heads of Schools and Centres Heads of Administrative Sections/Work Units and Directors/Principals of University Institutes. Executive Director Finance and Administration. Section or Work Unit. Institute or Division. Centre.

School. reviews are undertaken every three years (Review 2 onwards) Review Approval Authority Minor amendment(s) to Procedures are approved by the Director.What is a Standard? Definition Minimum technical or other specifications for the implementation of a Policy and/or Procedure Application University-wide application OR specific to a Faculty. Pro ViceChancellor (Students and Education). Executive Director Finance and Administration. Executive Director Planning and Development. Review Timeframes Standards content and use is reviewed 12 months after initial approval under the UTAS Policy Framework (Review 1). Institute or Division. Thereafter. Section or Work Unit. Pro Vice-Chancellor (Research). Centre. Chair of Academic Senate and Deans of Faculties Heads of Schools and Centres Heads of Administrative Sections/Work Units and Directors/Principals of University Institutes. Governance and Legal Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy Maker) Document1 . Approved by a Policy Custodian. which includes:   Approval Authority    the Vice-Chancellor Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost.