cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gidyn
Contributor III

What is more important, regulations or policy?

I've seen variations on this crop up a few times in practice tests. The answers vary:

- Policy, because that will include any applicable regulations.

- Regulations, you have to follow the law even when it's in conflict with your policy.

 

What answer would you give if this came up in an exam, if "it depends" isn't one of the options?

3 Replies
RRoach
Contributor I

One where an organization or individual may be legally liable (party to a law petition, subject to fines,  imprisonment, or employee action). $00.02

tmekelburg1
Community Champion

I use this to help me keep track of the hierarchy: https://www.complianceforge.com/word-crimes/policy-vs-standard-vs-control-vs-procedure 

 

Just add 'Regulations' to the bottom of the pyramid as being the most important (or bare minimum depending on how you look at it). Also, depending on the type of policy, it doesn't have to reference a regulation to justify it's existence.   

rslade
Influencer II

> gidyn (Newcomer III) posted a new topic in Exam Preparation on 03-22-2021 08:06

> I've seen variations on this crop up a few times in practice tests. The answers
> vary: - Policy, because that will include any applicable regulations. -
> Regulations, you have to follow the law even when it's in conflict with your
> policy.   What answer would you give if this came up in an exam, if "it
> depends" isn't one of the options?

First off, I suspect that this is one of the "lazy" practice test questions: the
practice test people tend to try and make things hard by asking "trick" questions,
but not putting real work into wording the question so there is a real chance of it
making any sense.

Secondly, my almost autonomic response is to say "policy," because when you are
faced with a difficult question, the "correct" answer is very often the
"management" answer 🙂

Technically, regulation is part of regulatory law. Regulatory law only applies if
you are working in that specific field or industry. Therefore it will not apply
across the board, and, again, policy is more important.

However, simply asking whether policy or regulation is more important is a bad
question, and you won't encounter that type of thing on the exam. Any question
that *does* address this type of issue will have additional background or factors
you need to consider.

You owe the Oracle a regulation on how to write policy.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468