Standards vs. policies

As part of a security team, we have developed a suite of information security policies for the corporation. We...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

are now in process of developing standards for some of our platforms. What is the real difference between policies and standards, and how detailed should standards be? Are you able to provide any examples?

The three main terms I see in policy development are policies, standards and procedures. To me, policies are the very high level statements that govern an organization. An example policy might be that all users must maintain strong, unique passwords for their system accounts. A corresponding standard for this policy could be that all passwords must be at least eight characters long and contain a combination of upper and lowercase letters, numbers and symbols. Procedures are the detailed steps showing how to implement the stated policy. This should be very detailed, providing exact command line syntax or screenshots showing how to implement this policy.

Differentiating between policies, standards, procedures and technical controls
Law, Public Policy and Standards
Security Policy and Infrastructure

For more information on this topic, visit these other SearchSecurity resources: Ask the Expert: Best Web Links: Best Web Links:

This was last published in June 2002

Dig Deeper on Information security policies, procedures and guidelines

SearchCloudSecurity

Comparing policies, standards, procedures and technical controls

How security standards help companies prioritize data protection

Keep devices regulation ready with compliant mobile data management

PCI 3.0 changes: A PCI compliance requirements checklist for 2015

Please create a username to comment.

Choosing between proxy vs. API CASB deployment modes

How to use the Mitre ATT&CK framework for cloud security

How to build a cloud security operations center

Network pros share Cisco DevNet certification advice

Cloud automation use cases for managing and troubleshooting

A look inside the official Cisco DEVASC 200-901 guidebook

5 ways to keep developers happy so they deliver great CX

Link software development to measured business value creation

5 digital transformation success factors for 2021

11 tips to improve Windows 10 performance

Microsoft Pluton chip will secure future Windows PCs

How does Microsoft 365 extend Windows 7 support?

A conference guide to AWS re:Invent 2020

Cognito user pools vs. identity pools -- what AWS users should know

How to containerize legacy applications in an Azure migration

This Christmas, Covid-19 heightens retail security risks for everyone

Broadband access drives New Zealand remote working to be permanent fixture

Government must hold technology companies to account on e-waste

Dig Deeper on Information security policies, procedures and guidelines

Comparing policies, standards, procedures and technical controls

How security standards help companies prioritize data protection

Keep devices regulation ready with compliant mobile data management

PCI 3.0 changes: A PCI compliance requirements checklist for 2015

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.