In this excerpt of Chapter 2 from Information Security Policies Made Easy, Version 10, author Charles Cresson Wood defines security policies, and explains the difference between policies, guidelines and standards.
Policies are management instructions indicating a predetermined course of action, or a way to handle a problem or situation. Policies are high-level statements that provide guidance to workers who must make present and future decisions. Policies are generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases outside, the organization. Policies also can be considered to be business rules. Although information security policy documents vary from organization to organization, a typical policy document includes a statement of purpose, description of the people affected, history of revisions, a few definitions of special terms and specific policy instructions from management.
Policies are mandatory and can be thought of as the equivalent of organization-specific law. Special approval is required when a worker wishes to take a course of action that is not in compliance with policy. Because compliance is required, policies use definitive words like "must not" or "you must." The words used to compose policies must convey both certainty and unquestionable management support. For simplicity and consistency, throughout this guide, the word "must" has been employed, but equivalent words are acceptable.
Policies are distinct from but similar to guidelines, which are optional and recommended. The policies appearing in this guide can be transformed into guidelines by replacing the word "must" with the word "should." As easy as this substitution may be, the transformation of the policies found in this guide into guidelines is not recommended. This is because guidelines violate a basic principle of secure systems design called "universal application," which means controls are significantly weakened if they are not consistently applied. Guidelines are desirable in some cases. For example, when work is to be done by a distributed group of individuals who cannot be compelled to comply with a policy, then a centralized information security function may appropriately issue guidelines as opposed to policies. This approach is commonly found when a centralized information security group issues a guideline for the preparation of departmental contin¬gency plans.
Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. Standards cover details such as implementation steps, systems design concepts, software interface specifications, software algorithms and other specifics. The term "information security architecture" is different then again, referring to a collection of integrated information security standards implemented across an organization, across operating systems platforms and across networks. Standards would, for example, define the number of secret key bits that are required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive informa¬tion is sent over public networks such as the Internet. An architecture would define a consistent approach to the implementation of various encryption processes across an organization, for example digital signatures and digital certificates.
Policies are intended to last for up to five years, while standards are intended to last only a few years. Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes and information systems technologies mentioned in standards change so rapidly. For example, a network security standard might specify that all new or substantially modified systems must be in compliance with International Standards Organization (ISO) standard X.509, which involves authentication of a secure communications channel through public key cryptography. This standard is likely to be revised, expanded or replaced in the next few years. Policies are generally aimed at a wider audience than standards. For example, a policy requiring the use of computer virus software packages would apply to all personal computer users, but a standard requiring the use of public key digital certificates could be directed only at staff that conducts organizational business over the Internet.
Read the rest of Chapter 2, from Information Security Policies Made Easy, Version 10
This was first published in September 2005