What is the difference between security policies processes and guidelines?

We find that most organizations struggle with the documentation aspect of a PCI assessment. Established best practice states, “If it’s not written down, it’s not happening.” Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language to create consistency among the culture of your organization. Small organizations often question why they need to document how their organization runs, especially if there are only a few people in the company. We think that’s the perfect example of why your organization, no matter the size, needs documentation; what if something happens? Who would know how to securely operate your organization? You need to have the proper policies, procedures, and standards in place to ensure the ongoing continuity and security of your organization.

In order to create and document proper polices, procedures, and standards, you need to understand the differences between them. A policy is an executive level document that defines that something must be done. For example, a policy outlines what employees must do or not do, directions, limits, principles, and guides for decision making – Policies are the law at your organization. A procedure is the counterpart to a policy; a policy defines that something must be done, but a procedure defines how you do it. A policy defines a rule, and the procedure says “This is who is expected to do it, and this is how they are expected to do it.”  Standards are the tools, means, and methods that you will use to meet policy requirements.

Creating procedures is where most organizations tend to struggle. A procedure should provide very clear, step-by-step instructions on how something must be done or is to be done. Procedures are instructions on how to run your business. Your organization needs to have this documentation in place to define how to complete tasks securely to ensure the ongoing operation and security of your organization.

Policies, procedures, and standards should be written at a level that you can hire somebody or give these documents to somebody with knowledge of the specific topic, and that individual could be able to carry that task on. We don’t expect you to be able to educate someone or take them from the ground level to expert level; someone who has knowledge of the topic should be able to read the policy or procedure and perform the task that’s detailed.

One of the more confusing elements of security policies is the interaction between policies, standards, guidelines, and procedures. First, let's define what we mean by each:

• Policy A policy is a document that outlines the requirements or rules that must be met. Policies frequently refer to standards or guidelines as the basis for the existence. The scope of a policy tends to be a broad, high level statement of intent. An example of a policy is an Encryption Use Policy, which might state to the effect of "encryption should be used in these circumstances."

• Standard A standard is a set of requirements, typically system or technology specific, that must be adhered to by everyone. The scope of a standard tends to be to specify the requirements about a given technology or area. An example might be defining that the only acceptable encryption algorithms are Triple DES (3DES) or Advanced Encryption Standard (AES).

• Guideline A guideline is similar to a standard, but it differs in that unlike a standard, a guideline is merely a recommendation or suggestion that should probably be followed but is not necessarily required. Guidelines and standards are largely interchangeable in most cases.

• Procedure A procedure defines the process that is followed to meet the requirements of a policy, standard, or guideline. The scope of a procedure is the specific step-by-step processes and procedures that should be followed for implementing a given standard or guideline. An example of this might be defining the procedures required to implement 3DES or AES encryption on your firewalls.

Figure 10-2 helps to illustrate the relationship between policies, standards, and procedures as a pyramid. Keep in mind that standards and guidelines are interchangeable and occupy the same level in the pyramid. As you go down the pyramid, the documents get more detailed and are more subject to change. So, policies are broad and do not change often. Standards and guidelines are more detailed but more susceptible to change. Procedures are extremely detailed and may frequently change as they incorporate new standards or methods of performing the given tasks.

How can we ensure that employees and individuals inside any business use technology in the manner that the organization expects? Previously, we discussed Why Every Organization Needs Information Security Policies. Any business will take steps to secure its information assets; and how that business will do so should be documented and described in their information security policy. However, policy drafters have been known to be confused about the differences between policy, procedure, standard, and guidelines. They mix and match various notions or combine them into a single document.

Why is it important to have a well-documented framework in place?

 

These ideas are distinct, but they are intertwined. We can formalize our expectations by implementing rules, procedures, and guidelines. It is not enough for us to simply state our expectations verbally; we need written documentation to help users conceptualize our expectations so that they can refer back to the documented policies. On the other hand, written documentation helps to reduce complexity because we must be clear with our words; otherwise, policies, for example, will not be followed because they are confusing, and people will not understand them. It is important to document a process in such a way that someone new to the team can refer to the document and complete the work.

So why should you be concerned about policy vs. standard vs. control vs. procedure? 

 

Because policies, standards, and procedures are distinct, each serves a specific purpose and fulfills a need. Words are the foundation of governance. Understanding the significance of these ideas is critical in order to correctly execute cybersecurity and privacy governance inside a business that goes beyond simply using the correct terminology. The deployment of hierarchical documentation, which entails bringing together the proper people and job functions to provide suitable instruction, is indicative of a well-run governance program.

What exactly do these terms imply?

 

Policy

A policy is a decision made by the governing body of an organization, and it  is usually an internal decision made by a company to improve its operations. A policy is a statement which articulates a principle that its intended audience should follow, and each should state a critical issue related to the company’s long-term goals, and must be followed at all times.

For example, a workplace health and safety policy highlights the importance of safety to the company, and to those  covered by the policies. The health and safety policy should be in line with strategic objectives, such as improved service quality, reduced costs, and fewer injuries. 

As another example, a company’s governing board may agree that legal services will examine any third-party contracts, so they create a policy stating that aside from legal services, no other department in the company has been given permission to review third-party contracts for privacy and security. 

Policy is WHY we should be doing something.

Standards

Standards are necessary courses of action or regulations that provide support and direction to  formal policies. Getting a company wide consensus on what standards should be in place is one of the more difficult aspects of  creating standards for an information security program. This is a time-consuming process, but it is necessary for your information security program to succeed.

Standard is a term that’s used to describe how a user is likely to behave like a uniform company email  signature, for example. It’s possible that you’ll be able to define which hardware and software solutions are available and supported. It is possible for a third-party norm to be voluntary or mandatory. Typically, the default position is that they are optional.

Standards are WHAT we should be doing.

Procedures

Procedures are a collection of actions that must be followed in order to complete a task or process in accordance with a set of rules. Procedures assist in determining how an organization actually implements a policy, standard, regulation, or control, and must be followed at all times. 

There can be no defendable evidence of proper care activities without documented procedures. They are typically established and maintained by the process owner / asset custodian,  but stakeholder review is anticipated (and encouraged) to verify that applicable compliance standards are met. A procedure’s output is intended to fulfill a specified control. In some circumstances, procedures are also referred to as control actions.

Procedure is HOW we should be doing something.

To Sum It All Up

 

There is a distinct difference between policies, standards, and procedures. Each has a purpose and fulfills a specific requirement. Policies serve as the foundation, with standards and procedures serving as the building blocks. Keep in mind,establishing an information security program takes time. It is a deliberate, organization-wide approach that necessitates input from all levels. The day-to-day actions necessary to run your firm can be made more efficient and profitable by getting organization-wide consensus on policies, standards, processes, and guidelines.

Does your organization need support in either constructing or restructuring your policies, standards, and procedures? We do this type of work at Idenhaus all the time, and would love to be your partner in streamlining your business processes. Schedule some time with one of our experts here. 

To receive the top Cybersecurity articles for Identity Management Professionals in your inbox every two weeks (Tuesdays 8 PM EST), subscribe to our Identity Management biweekly and/or our Healthcare Cybersecurity and IAM Digest.

Follow @Idenhaus on Twitter and subscribe to our YouTube channel.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. You can contact us here..

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *

Type here..

Name*

Email*

Website

Save my name, email, and website in this browser for the next time I comment.

Search

About Idenhaus

Idenhaus is an award-winning Identity Management and Cybersecurity services firm based in Atlanta, GA.

What is the difference between security policy and procedures?

What are security procedures and guidelines?

What are policies procedures and guidelines?