Standards vs. policies

As part of a security team, we have developed a suite of information security policies for the corporation. We...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

are now in process of developing standards for some of our platforms. What is the real difference between policies and standards, and how detailed should standards be? Are you able to provide any examples?

The three main terms I see in policy development are policies, standards and procedures. To me, policies are the very high level statements that govern an organization. An example policy might be that all users must maintain strong, unique passwords for their system accounts. A corresponding standard for this policy could be that all passwords must be at least eight characters long and contain a combination of upper and lowercase letters, numbers and symbols. Procedures are the detailed steps showing how to implement the stated policy. This should be very detailed, providing exact command line syntax or screenshots showing how to implement this policy.

Differentiating between policies, standards, procedures and technical controls
Law, Public Policy and Standards
Security Policy and Infrastructure

For more information on this topic, visit these other SearchSecurity resources: Ask the Expert: Best Web Links: Best Web Links:

This was last published in June 2002

Dig Deeper on Information security policies, procedures and guidelines

SearchCloudSecurity

Keep devices regulation ready with compliant mobile data management

As PCI DSS 3.0 deadline looms, QSAs urge 'continuous compliance'

Do not overlook the weak link in IT security

Free mobile device policy template examples for CIOs

Please create a username to comment.

Boost security with a multi-cloud workload placement process

Tackle identity management in the cloud with AaaS or IDaaS

Benefits of cloud data discovery tools and services multiply

RSA 2020: US needs allies to battle China's 5G threat

Networking startup Arrcus wins TechTarget innovation award

What do 2G and 3G sunset dates mean for business customers?

Quantum information science continues to advance with federal efforts

Hyperautomation: The most significant RPA trend of 2020

How ITSM services on mobile devices power employees, boost service

Windows 10X OS may be a preview of features to come

5 up-and-coming Mac management software vendors to know

Latest Windows 10 update issue another QA stain

Get to know the core Oracle IaaS offerings

Compare serverless tools and services in the public cloud

Review the pros and cons of 8 common hybrid cloud use cases

CIO interview: Ian Cohen, chief product and technology officer, Addison Lee

NCSC makes ransomware attack guidance more accessible

Student Loans Company to enlist IT suppliers for £200m transformation plan

Dig Deeper on Information security policies, procedures and guidelines

Keep devices regulation ready with compliant mobile data management

As PCI DSS 3.0 deadline looms, QSAs urge 'continuous compliance'

Do not overlook the weak link in IT security

Free mobile device policy template examples for CIOs

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.