http://www.unifiedcompliance.

com/
IT Unified Compliance Framework
Organizational policies
A policy is a definitive plan or method of action to guide decisions and actions.
Policies should be selected from the various possible alternatives in the light of organizational conditions and the impact that
they will have.
Policies are meant to limit individual discretion to make decisions about which choices and actions (or behaviors) can be taken
regarding the topic in question. Because of this, a policy's intended purpose is to influence and guide both present and future
decision making to be in line with the philosophy, objectives, and strategic plans established by the organization's
management teams. In addition to policy content, well structured policies describe the consequences of failing to comply with
the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and
measured.
In practice, an organizational policy is a formal document describing the organization's position on a particular aspect of
compliance with regulations, standards, and guidelines. Therefore, it acts as an official statement of a position, plan, or course
of action established by an identified sponsoring authority, which is designed to influence, to provide direction, and to
determine decisions and actions with regard to a specific topic. Organizational standards, procedures, and guidelines flow
from policies.
Policies come in two basic forms; high-level policy statements and detailed policies.
Many times the high-level policy statements will have direct links to organizational standards and procedures, such as an
organizational policy for the destruction of electronic media (tapes, drives, etc.) that would then point to the organizational
degaussing standard and associated step-by-step procedures for more explicit information.
Detailed policies provide more in-depth information such as purpose, authority, and detailed definitions of sub-topics. Detailed
policies often have direct links to individual procedures for follow-through methods. A good example of a policy-procedure
pairing is an organizational records retention policy that details various definitions of record types and then links each type to
the procedures that need to be followed to carry out that specific portion of the policy.
Policies, because they are mandatory within the organization, are enforced by the organization under the auspices of the
Human Resources and/or Legal departments and failure to comply with a policy is generally punishable by disciplinary action
that could include suspension or even termination to the extent permitted by law.

Organizational standards
Standards are definitional and clarifying in nature and established either to further understanding and interaction or to
acknowledge observed (or desired norms) of exhibited characteristics or behavior. Organizational standards are used to define
the commonality of parts and processes. A standard can be:
1. An object or measure of comparison that defines or represents the magnitude of a unit.
2. A characterization that establishes allowable tolerances or constraints for categories of items and parameter
settings.
3. A degree or level of required excellence or attainment.
Thus, organizational standards may specify minimum performance levels, describe best practices within the company, or
serve as the list of controls (or their parameters) that the organization must follow in order to attain compliance within a given
area. In general computing terms, a standard is a set of detailed technical guidelines used as a means of establishing
uniformity in an area of hardware or software development.
Standards can be put in place to support a policy, a process, or as a response to an operational need. Like policies, well
structured standards will include a description of the manner in which noncompliance will be detected.
Because standards directly support organizational policies, they should be enforced with the same level of authority as the
organizational policy they clarify.

Document1

Organizational procedures
A procedure is a step-by-step description of tasks required to support and carry out organizational policies. Therefore, a
procedure can be thought of as an extension of a policy that articulates the process that is to be used to accomplish a control.
More formally, procedures are the step-by-step documentation of the course of action to be taken to perform a given task as a
series of steps, followed in a definite regular order, ensuring the consistent and repetitive approach to accomplish control
activities.
Because procedures directly support organizational policies, they should be enforced with the same level of authority as the
organizational policy they support.

____________________

Document1

University of Arizona Policy and Guidance

The Information Security Office is responsible for coordinating the development and dissemination of
information security policies, standards, procedures and guidelines for the University. Info Sec is also
responsible for coordinating various regulatory compliance efforts. See below for links to access
policies, standards, procedures and guidelines published by Info Sec.
Policies are high-level statements, equivalent to organizational law, that drive decision making within
the University. University policies are subject to a rigorous review process.
Standards define minimum requirements designed to address certain risks and specific requirements
that ensure compliance with a policy or standard. They provide a basis for verifying compliance through
audits and assessments. All units must meet the standards supporting the Information Security Policy
and are encouraged to adopt local standards that exceed the minimum requirements.
Procedures are step-by-step instructions for accomplishing a task. Procedures published by Info Sec are
designed to reinforce University policies. Procedures may also play an important role in maintaining
compliance with regulations.
Guidelines are general recommendations or instructions that provide a framework for achieving
compliance with policies. They are more technical in nature than policies and standards and are updated
on a more frequent basis to account for changes in technology and/or University practices.

Legal Sources
Federal Policy
Health Insurance Portability and Accountability Act
45 CFR Parts 160, 162, and 164 (HIPAA)
Family Educational Rights and Privacy Act 34 CFR
Part 99 (FERPA)
Computer Fraud and Abuse Act of 1986
USA PATRIOT Act

State & Local Policy

Arizona Revised Statutes Section 15-1823
(Identification numbers; social security numbers)
Arizona Revised Statutes Section 44-7501
(Notification of breach of security system)
Arizona Board of Regents Policy 9-201 (General
Policy)
Arizona Board of Regents Policy 9-202 (University
Responsibilities)
Payment Card Industry Data Security Standard

Computer Security Act of 1987

Homeland Security Act
The Children's Internet Protection Act of 2000
The No Electronic Theft (NET) Act of 1997
----------------------------------------------------------------------------------------------------------------------------------- ---------University of Tasmania http://www.utas.edu.au/governance-legal/policy/utas-policy-framework

What is a Policy?
Definition

A statement of intent defining the position of the University.

Application

University-wide application, including:

all Faculties, Schools, Centres and Institutes and
all University Business Enterprises.

Approval
Authority

In almost all cases, Policy is approved by the Vice-Chancellor (=UC President);

In exceptional circumstances, Policy is approved by Council where:
a 'statement of intent' is embodied in an Ordinance, Rule or By-Law- which must
be approved by Council
Council approval is required for legal reasons or

Document1

the Policy deals with a particularly far-reaching issue appropriately approved by

Council (e.g Investment Policy)

Policy content and implementation are reviewed 12 months after initial approval under
the UTAS Policy Framework (Review 1). Thereafter, reviews are undertaken every three
years (Review 2 onwards)

Review
Timeframes

Minor amendment(s) to Policy are approved by the Director, Governance and Legal

Review Approval
Major amendment(s) to Policy are approved by the initial Approval Authority (ViceAuthority
Chancellor or Council)

What is a Procedure?
Definition

Step-by-step instructions for implementing a Policy

Application

University-wide application OR
specific to a Faculty, School, Centre, Institute or Division, Section or Work Unit.
Approved by a Policy Custodian, which includes:

Approval
Authority

the Vice-Chancellor
Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost, Pro Vice-Chancellor (Research), Pro ViceChancellor (Students and Education), Executive Director Finance and Administration,
Executive Director Planning and Development, Chair of Academic Senate and Deans
of Faculties
Heads of Schools and Centres
Heads of Administrative Sections/Work Units and
Directors/Principals of University Institutes.

Review
Timeframes

Procedure content and use is reviewed 12 months after initial approval under the UTAS
Policy Framework (Review 1). Thereafter, reviews are undertaken every three years
(Review 2 onwards)

Review
Approval
Authority

Minor amendment(s) to Procedures are approved by the Director, Governance and Legal
Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy
Maker)

What is a Guideline?
Definition

Guide to implementing a Policy and/or Procedure

Application

University-wide application OR
specific to a Faculty, School, Centre, Institute or Division, Section or Work Unit.
Approved by a Policy Custodian, which includes:

Approval
Authority

the Vice-Chancellor
Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost, Pro Vice-Chancellor (Research), Pro ViceChancellor (Students and Education), Executive Director Finance and Administration,
Executive Director Planning and Development, Chair of Academic Senate and Deans
of Faculties
Heads of Schools and Centres
Heads of Administrative Sections/Work Units and
Directors/Principals of University Institutes.

Review
Timeframes

Guidelines content and use is reviewed 12 months after initial approval under the UTAS
Policy Framework (Review 1). Thereafter, reviews are undertaken every three years
(Review 2 onwards)

Review
Approval
Authority

Minor amendment(s) to Guidelines are approved by the Director, Governance and Legal
Major amendment(s) to Guidelines are approved by the initial Approval Authority (Policy
Maker)

Document1

What is a Standard?
Definition

Minimum technical or other specifications for the implementation of a Policy and/or

Procedure

Application

University-wide application OR
specific to a Faculty, School, Centre, Institute or Division, Section or Work Unit.
Approved by a Policy Custodian, which includes:

Approval
Authority

the Vice-Chancellor
Members of the Senior Management Team (SMT) including the Deputy ViceChancellor (Academic) and Provost, Pro Vice-Chancellor (Research), Pro ViceChancellor (Students and Education), Executive Director Finance and Administration,
Executive Director Planning and Development, Chair of Academic Senate and Deans
of Faculties
Heads of Schools and Centres
Heads of Administrative Sections/Work Units and
Directors/Principals of University Institutes.

Review
Timeframes

Standards content and use is reviewed 12 months after initial approval under the UTAS
Policy Framework (Review 1). Thereafter, reviews are undertaken every three years
(Review 2 onwards)

Review
Approval
Authority

Minor amendment(s) to Procedures are approved by the Director, Governance and Legal
Major amendment(s) to Procedures are approved by the initial Approval Authority (Policy
Maker)

Document1