
As a security professional, you have to ensure the effectiveness of information security and comply with requirements such as laws, regulations, industrial standards, contracts, organizational policies, code of ethics, etc. Which of the following should you follow when compliance requirements are not consistent? (Wentz QOTD)
A. Laws
B. Regulations
C. Industry standard
D. Organizational policies
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Organizational policies.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Organizations shall comply with laws and regulations. The management team shall exercise due diligence to set out or review policies to meet the legal and regulatory requirements.
Inconsistency between organizational policies and laws or regulations doesn’t necessarily mean violation. Organizational policies may set higher standards than laws or regulations. If so, employees just need to follow policies.
On the contrary, organization policies may violate laws or regulations. In this situation, the management team shall revise policies so that employees can follow them. If an employee finds policies contradict laws or regulations, he or she should communicate or report to the management and follow the newly revised policies.
It’s inappropriate for employees to ignore organizational policies and go straight to follow laws and regulations. If a policy that violates laws or regulations is reported to and ignored by the management, employees may follow the whistle-blowing procedure.
There is no doubt that everyone shall comply with laws and regulations. Organizational shall keep policies compliant with them to ensure employees following the policies are don’t violate laws or regulations.
Reference
作為資安專家,您必須確保信息安全的有效性,並達到符合性(compliance)要求,如法律、法規、行業標準、合同、組織政策、道德規範等。 當這些符合性要求存在不一致時,您應優先遵循以下哪項要求 ? (Wentz QOTD)
A. 法律
B. 監管 (regulations)
C. 行業標準
D. 組織政策
Pingback: 確保資訊安全的有效性,並達到符合性(合規性)要求,應優先遵循組織政策 – Choson資安大小事