When Do Guidelines Apply?

When do Guidelines Apply?

To illustrate the application of these guidelines, let's consider our own website's experience with implementing them. We'll use this real-world example to demonstrate the process of evaluating guidelines.

The Website

Our website is a service for external Users. The Users are external to the system (that is, they are not considered part of the system.) Website staff, on the other hand, are part of the system.

The Guideline AC 20(4)

The guidelines and supplementals often refer to users or capabilities of a system. For example:

Analysis

When looking at this from the point of view of a security analyst, we have the following concerns:

• The system (including various staff members) may need remote, network accessible storage for backup purposes for example.
• The users (website customers) don't have direct access to network storage via the website but we have no visibility into their use of a service such as Sync or Dropbox, for example.
• The family control AC 20 includes allowing authorized individuals to access the information system from external information systems, which makes our Users "external".

The users provide their own computers and browsers, and we don't know and don't control what else they do with their computers.

A potential requirement could be worded to accept system use of external storage (for example for backups), but this conflicts with the prohibition in the guidance.

After considering these points we decide this guidance is not applicable for our website, and mark it "Inapplicable."

Conclusion

We've found that AC 20(4) is not applicable to our website due to its focus on internal systems.

When reviewing guidelines for your own systems and organizations, it's worthwhile considering the focus of each guideline and how well it aligns with the needs of your system.