A security policy provides a general means for compliance on a given topic, but it's standards that anchor a policy's direction.
While policies provide the general concept, for example, "All employees are responsible for protecting company information," standards keep policies, such as, application programming practices and information security handbooks, effective and current. They flesh out supporting documents to identify what's expected.
Standards state how the information gets protected. They are action-specific and/or technology-driven, specifying timeframes, measures and procedures. For example, a typical standard in an information security handbook would specify, "Users are required to create eight-character passwords that include numerals, letters and symbols that get changed every 30 days."
Standards outline the corporate commandments, defining mandatory compliance requirements, though they may include guidelines, which describe nice-to-have elements. More over, standards need to stand on their own to ensure they change whenever technology or the environment changes. Defining standards as separate documents allow policies to act as the framework for information security management.
Enterprises recognize the need for standards, however, developing, adhering and monitoring them is a logistical problem. When developing standards, follow these practices:
- Ensure that standards are practical, current and measurable. Well-defined
- standards will provide measurable guidance on what's expected, and ensure adequate documentation of employees' adherence to standards.
- Establish a standards review process. If you learn that employees regularly work around the standard, develop an alternative to eliminate the potential for non-compliance and to document due care in policy-based enforcement.
- Ensure that standards are technology-driven. Update standards when the technology changes.
Total employee commitment for implementing standards is required for effective security policy management. If line management doesn't get the proper message from senior management, then the standards have no chance of surviving. Similar to policies, if employees see that management is committed to the standards' outcomes, there's a better chance that the employees will be committed.
About the author
Tom Peltier has been an information security professional for more than 25 years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.
- You shouldn't be developing your organization's security policies by yourself. Find out who should be sharing the responsibility in this tip.
- Learn what components should be included in each of your Tier-1 Policy statements.
- Thomas offers an overview of Tier-1 Policies, beginning with this tip.
This was first published in November 2004