Standards fortify policies

A security policy provides a general means for compliance on a given topic, but it's standards that anchor a policy's direction.

While policies provide the general concept, for example, "All employees are responsible for protecting company information," standards keep policies, such as, application programming practices and information security handbooks, effective and current. They flesh out supporting documents to identify what's expected.

Standards state how the information gets protected. They are action-specific and/or technology-driven, specifying timeframes, measures and procedures. For example, a typical standard in an information security handbook would specify, "Users are required to create eight-character passwords that include numerals, letters and symbols that get changed every 30 days."

Standards outline the corporate commandments, defining mandatory compliance requirements, though they may include guidelines, which describe nice-to-have elements. More over, standards need to stand on their own to ensure they change whenever technology or the environment changes. Defining standards as separate documents allow policies to act as the framework for information security management.

Enterprises recognize the need for standards, however, developing, adhering and monitoring them is a logistical problem. When developing standards, follow these practices:

  • Ensure that standards are practical, current and measurable. Well-defined

    Requires Free Membership to View

  • standards will provide measurable guidance on what's expected, and ensure adequate documentation of employees' adherence to standards.
  • Establish a standards review process. If you learn that employees regularly work around the standard, develop an alternative to eliminate the potential for non-compliance and to document due care in policy-based enforcement.
  • Ensure that standards are technology-driven. Update standards when the technology changes.

Total employee commitment for implementing standards is required for effective security policy management. If line management doesn't get the proper message from senior management, then the standards have no chance of surviving. Similar to policies, if employees see that management is committed to the standards' outcomes, there's a better chance that the employees will be committed.

About the author
Tom Peltier has been an information security professional for more than 25 years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.


There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.