The four main types of policies are:
- Senior Management: A high-level management statement of an organization’s security objectives, organizational and individual responsibilities, ethics and beliefs, and general requirements and controls.
- Regulatory: Regulatory policies formulated by governments to impose controls and restrictions on certain specific activities or behavior. Regulation is not only about rules of governing but also a concept in governance.
- Advisor: Not mandatory, but highly recommended. The role of a policy advisor is to inform policy analysts on the various issues involved in policy making. The policies that result from such consultations are called Advisor policies.
- Informative: Only informs, with no explicit requirements for compliance.
Standards, guidelines, and procedures provide definite implementation details of the policy.
2- Standards: Security standards provide control objectives, and controls for enforcing security policies. Standards can be defined by the organization itself. The organization may also prefer to use standards defined by NIST or ISO.
3- Guidelines: Guidelines are similar to standards, but they function as advises rather than as compulsory requirements.
4- Procedures: Security procedures are the systematic instructions to implement the security policies and standards.