Difference Between Advisory and Regulatory Security Policies

C.

Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth)

A company with such policies wants most employees to consider these policies mandatory.

Most policies fall under this broad category.

Advisory policies can have many exclusions or application levels.

Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization.

For example, a policy that requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.

Regulatory - Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements.These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest.

These policies are usually very detailed and are specific to the industry in which the organization operates.

Regulatory polices commonly have two main purposes: 1

To ensure that an organization is following the standard procedures or base practices of operation in its specific industry 2

To give an organization the confidence that it is following the standard and accepted industry policy Informative - Informative policies are policies that exist simply to inform the reader.

There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties.

This does not mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.

References: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 12, Chapter 1: Security Management Practices.

also see: The CISSP Prep Guide:Mastering the Ten Domains of Computer Security by Ronald L.

Krutz, Russell Dean Vines, Edward M.

Stroz also see: http://i-data-recovery.com/information-security/information-security-policies-standards-guidelines-and-procedures.

Advisory and regulatory security policies are two different types of policies used in the security industry to ensure that organizations comply with security best practices and standards.

Advisory policies are recommendations or guidelines that provide direction on how an organization should manage its security operations. These policies are not legally binding, but they are considered best practices that organizations should strive to follow. Advisory policies can be developed by industry groups, consultants, or internal security teams to help guide an organization's security strategy. Examples of advisory policies include guidelines for password management, network access control, and incident response.

On the other hand, regulatory policies are legally binding requirements that organizations must follow. These policies are often created by government bodies or regulatory agencies to ensure that organizations are meeting certain security standards. Regulatory policies can cover a wide range of security areas, including data privacy, network security, and physical security. Failure to comply with regulatory policies can result in fines, penalties, or legal action. Examples of regulatory policies include the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

In summary, the main difference between advisory and regulatory security policies is that advisory policies provide recommendations or guidelines, while regulatory policies are legally binding requirements that organizations must comply with.