Policies, Standards, Guidelines, and Procedures

Policies, standards, guidelines, and procedures are all subtly different from each other, but they also interact with each other in a variety of ways. It’s your job as a CISSP candidate to study these differences and relationships, and also to recognize the different types of policies and their applications. To successfully develop and implement information security policies, standards, guidelines, and procedures, you must ensure that your efforts are consistent with the organization’s mission, goals, and objectives (see the preceding section).

Policies, standards, guidelines, and procedures all work together as the blueprints for a successful information security program. They

• Establish governance

• Provide valuable guidance and decision support

• Help establish legal authority

Too often, technical security solutions are implemented without these important blueprints. The results are often expensive and ineffective controls that aren’t uniformly applied and don’t support an overall security strategy.

 Instant Answer   Governance is a term that collectively represents the system of policies, standards, guidelines, and procedures that help steer an organization’s day-to-day operations and decisions.

Policies

A security policy forms the basis of an organization’s information security program. RFC 2196, The Site Security Handbook, defines a security policy as “a formal statement of rules by which people who are given access to an organization’s technology and information assets must abide.”

 Instant Answer   The four main types of policies are

• Senior Management: A high-level management statement of an organization’s security objectives, organizational and individual responsibilities, ethics and beliefs, and general requirements and controls.

• Regulatory: Highly detailed and concise policies usually mandated by federal, state, industry, or other legal requirements.

• Advisory: Not mandatory, but highly recommended, often with specific penalties or consequences for failure to comply. Most policies are considered to be in this category.

• Informative: Purpose is only to inform with no explicit requirements for compliance.

 Remember   Standards, guidelines, and procedures are supporting elements of a policy and provide specific implementation details of the policy.

Standards (and baselines)

Standards are specific, mandatory requirements that further define and support higher-level policies. For example, a standard may require the use of a specific technology, such as a minimum requirement for encryption of sensitive data using 3DES. A standard doesn’t go so far as to specify the exact product to be implemented.

Baselines are similar to and related to standards. A baseline can be useful for identifying a consistent basis for an organization’s security architecture, taking into account system-specific parameters, such as different operating systems. After consistent baselines are established, appropriate standards can be defined across the organization.

Guidelines

Guidelines are similar to standards but are recommendations rather than compulsory requirements. For example, a guideline may provide tips or recommendations for determining the sensitivity of a file and whether encryption is required.

Procedures

Procedures provide detailed instructions on how to implement specific policies and meet the criteria defined in standards. Procedures may include Standard Operating Procedures (SOPs), run books, and user guides. For example, a procedure may be a step-by-step guide for encrypting sensitive files by using a specific software encryption product.