As part of a security team, we have developed a suite of information security policies for the corporation. We are now in process of developing standards for some of our platforms. What is the real difference between policies and standards, and how detailed should standards be? Are you able to provide any examples?
The three main terms I see in policy development are policies, standards and procedures. To me, policies are the very high level statements that govern an organization. An example policy might be that all users must maintain strong, unique passwords for their system accounts. A corresponding standard for this policy could be that all passwords must be at least eight characters long and contain a combination of upper and lowercase letters, numbers and symbols. Procedures are the detailed steps showing how to implement the stated policy. This should be very detailed, providing exact command line syntax or screenshots showing how to implement this policy.
For more information on this topic, visit these other SearchSecurity resources:
Ask the Expert: Differentiating between policies, standards, procedures and technical controls
Best Web Links: Law, Public Policy and Standards
Best Web Links: Security Policy and Infrastructure
This was first published in June 2002