Standard vs Frameworks vs Regulations Vs Statutory Laws

Standards, Frameworks, Statutory Laws and Regulations are all rules or requirements that organizations must follow, but they differ in several ways

STANDARDS

Voluntary guidelines or specifications that organizations can choose to follow to improve performance or achieve goals. For example, a company might adopt technical standards to improve information security.

  • Fixed guidelines that ensure uniformity and compliance across different entities
  • Ensure consistency, safety, and quality by setting clear expectations and benchmarks that must be met

Examples of standards include, but are not limited to:

  • International Organization for Standardization (ISO) Standards
  • Payment Card Industry Data Security Standard (PCI DSS)
  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996

FRAMEWORKS

More comprehensive than standards, frameworks can include standards, guidelines, and tools to help organizations achieve goals. Frameworks can help organizations prepare for compliance and audits. Organizations can customize frameworks to meet specific needs

  • Offer a set of best practices, tools, and concepts that guide users in achieving particular goals
  • Flexible and can be adapted to fit specific needs and contexts

Framework examples include, but are not limited to:

  • The National Institute of Standards and Technology (NIST)
  • Health Information Trust Alliance (HITRUST)
  • Control Objectives for Information and Related Technologies (COBIT)

STATUTORY LAWS

The Laws are rules made by the government of a country, state, or city. They are enacted by a legislative body and signed by a ranking official (the president or governor). Everyone must follow them to be legal. Statutory law examples include, but are not limited to:

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Fair and Accurate Credit Transactions Act (FACTA)—including the “Red Flags” rule
  • Family Education Rights and Privacy Act (FERPA)
  • Federal Information Security Management Act (FISMA)
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • UK: The Data Protection Act (DPA)

REGULATIONS

Government-enforced security guidelines that organizations must follow to increase cybersecurity standards. Regulations are legally binding and are often issued by governments, local authorities, or international organizations. Violating regulations may result in penalties, fines, or legal actions

Regulations are detailed instructions on how the laws are enforced or carried out. Examples of regulations include, but are not limited to:

  • European Union General Data Protection Regulation (EU GDPR)
  • Defense Federal Acquisition Regulation Supplement (DFARS)
  • Federal Acquisition Regulation (FAR)
  • Federal Risk and Authorization Management Program (FedRAMP)