From the course: Writing Security Policies and Standards

What are policies, standards, procedures, and guidelines?

From the course: Writing Security Policies and Standards

Start my 1-month free trial Buy for my team

What are policies, standards, procedures, and guidelines?

- Have you ever wondered how large organizations maintain consistent and effective security programs, even with thousands of employees? The answer is their use of policies, standards, procedures, and guidelines. These documents each play a distinct role in protecting an organization. Understanding and applying them correctly is crucial for effective security. In this video, you'll learn how they differ and how each contributes to the overall security framework of an organization. Policies, standards, procedures, and guidelines are types of organizational directives. They represent various security rules that an organization expects everyone to follow. Let's explore each in more detail. Policies are the overarching principles and directives governing an organization's approach to security and compliance. They are formal statements typically approved by the organization's highest levels of management, answering why controls or behaviors are needed. They are broad, high-level, and normally technology independent. Examples of security policies include the Information Security Policy, the Data Protection Policy, and the Acceptable Use Policy. Standards specify the requirements or rules to comply with policies. They answer the question of what must be done to align with the policies. They are detailed and may reference tools and technologies that must be used to support the policies. Examples of security standards include the Network Security Standard, the Server Security Standard, and the Workstation Security Standard. Procedures are the instructions that must be followed to comply with standards and policies. They answer the question of how by providing step-by-step guides to ensure that tasks are performed consistently and correctly. Example security procedures include the User Authentication Procedure, the Backup and Recovery Procedure, and the Secure Disposal Procedure. So far, these directives are all mandatory. They must be followed to comply with an organization's security requirements. Guidelines, however, offer best practices and recommendations to help an organization's staff stay secure and mitigate risks. They provide a flexible suggested how that allows for discretion. Examples of security guidelines include Internet Browsing Guidelines, Data Handling Guidelines, and Remote Work Guidelines. Certain topics may have corresponding policies, standards, and procedures, such as Vulnerability Management. The policy outlines the organization's requirements for managing vulnerabilities effectively. The standard details what the organization does to manage vulnerabilities, and the procedure provides exact instructions on how to manage vulnerabilities. The relationship between policies, standards, procedures, and guidelines is often represented as a pyramid illustrating their hierarchical structure. The pyramid shows that guidelines align with procedures, procedures align with standards, and standards align with policies. At the top of the pyramid, policies provide broad direction, while at the bottom, guidelines offer flexible recommendations supporting these directives. This interrelationship ensures that an organization's security and operational practices are consistent and effective. Now that you understand the differences between policies, standards, procedures, and guidelines, review your organization's directives to see if they align with what you learned.

Contents