Difference between Authoritative Source , Control Standard and Control Procedure.
I am trying understand the linkage between Policy,Authoritative Sources, Control Standard and Control Procedure.
Any example will be of great help.
Organizations have various controls (specific to their environment) placed/implemented. Will those be a part of Control Standard or Control Procedure?
I need some guidance on this.
- Community Thread
- Forum Thread
- RSA Archer
- RSA Archer Suite
The difference is how far "into the weeds" you want to go. Control standards are higher-level, such as "Firewalls will have unnecessary ports closed" (note no mention of specific ports or how to close them). Control procedures are the specific details of how to meet/implement the control standard (such as listing the ports that are to remain open and how to close the other ports). The control procedures are measurable for compliance purposes, while the control standards are more generic and therefore less measurable..