Security Policies & Standards
A person who intends to obtain CISSP certificate must be well aware of the differences and relationships between the following:
- Policies
- Standards
- Guidelines
- Procedures
1- Policy: A security policy is a written document in an organization outlining how to protect the organization from threats and how to handle situations when they do occur. RFC 2196, The Site Security Handbook, defines a security policy as “a formal
statement of rules by which people who are given access to an organization’s
Technology and information assets must abide. ”Security policy never states “how” to accomplish the objectives.
The four main types of policies are:
- Senior Management: A high-level management statement of an organization’s security objectives, organizational and individual responsibilities, ethics and beliefs, and general requirements and controls.
- Regulatory: Regulatory policies formulated by governments to impose controls and restrictions on certain specific activities or behavior. Regulation is not only about rules of governing but also a concept in governance.
- Advisor: Not mandatory, but highly recommended. The role of a policy advisor is to inform policy analysts on the various issues involved in policy making. The policies that result from such consultations are called Advisor policies.
- Informative: Only informs, with no explicit requirements for compliance.
Standards, guidelines, and procedures provide definite implementation details of the policy.
2- Standards: Security standards provide control objectives, and controls for enforcing security policies. Standards can be defined by the organization itself. The organization may also prefer to use standards defined by NIST or ISO.
3- Guidelines: Guidelines are similar to standards, but they function as advises rather than as compulsory requirements.
4- Procedures: Security procedures are the systematic instructions to implement the security policies and standards.