One where an organization or individual may be legally liable (party to a law petition, subject to fines,  imprisonment, or employee action). $00.02

I use this to help me keep track of the hierarchy: https://www.complianceforge.com/word-crimes/policy-vs-standard-vs-control-vs-procedure 

 

Just add 'Regulations' to the bottom of the pyramid as being the most important (or bare minimum depending on how you look at it). Also, depending on the type of policy, it doesn't have to reference a regulation to justify it's existence.   

> gidyn (Newcomer III) posted a new topic in Exam Preparation on 03-22-2021 08:06

> I've seen variations on this crop up a few times in practice tests. The answers
> vary: - Policy, because that will include any applicable regulations. -
> Regulations, you have to follow the law even when it's in conflict with your
> policy.   What answer would you give if this came up in an exam, if "it
> depends" isn't one of the options?

First off, I suspect that this is one of the "lazy" practice test questions: the
practice test people tend to try and make things hard by asking "trick" questions,
but not putting real work into wording the question so there is a real chance of it
making any sense.

Secondly, my almost autonomic response is to say "policy," because when you are
faced with a difficult question, the "correct" answer is very often the
"management" answer 🙂

Technically, regulation is part of regulatory law. Regulatory law only applies if
you are working in that specific field or industry. Therefore it will not apply
across the board, and, again, policy is more important.

However, simply asking whether policy or regulation is more important is a bad
question, and you won't encounter that type of thing on the exam. Any question
that *does* address this type of issue will have additional background or factors
you need to consider.

You owe the Oracle a regulation on how to write policy.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/