To successfully develop and implement information security policies, standards, guidelines, and procedures, you must ensure that your efforts are consistent with the organization's mission, goals, and objectives.
Policies, standards, procedures, and guidelines all work together as the blueprints for a successful information security program. They
- Establish governance.
- Provide valuable guidance and decision support.
- Help establish legal authority.
Governance is a term that collectively represents the system of policies, standards, guidelines, and procedures that help steer an organization's day-to-day operations and decisions.
PoliciesA security policy forms the basis of an organization's information security program. RFC 2196, The Site Security Handbook, defines a security policy as "a formal statement of rules by which people who are given access to an organization's technology and information assets must abide."
The four main types of policies are
- Senior Management: A high-level management statement of an organization's security objectives, organizational and individual responsibilities, ethics and beliefs, and general requirements and controls.
- Regulatory: Highly detailed and concise policies usually mandated by federal, state, industry, or other legal requirements.
- Advisory: Not mandatory, but highly recommended, often with specific penalties or consequences for failure to comply. Most policies fall into this category.
- Informative: Only informs, with no explicit requirements for compliance.
Standards, procedures, and guidelines are supporting elements of a policy and provide specific implementation details of the policy.
ISO/IEC 27002, Information Technology — Security Techniques — Code of Practice for Information Security Management, is an international standard for information security policy. ISO/IEC is the International Organization for Standardization and International Electrotechnical Commission. ISO/IEC 27002 consists of 12 sections that largely (but not completely) overlap the eight (ISC)2 security domains.
Standards (and baselines)Standards are specific, mandatory requirements that further define and support higher-level policies. For example, a standard may require the use of a specific technology, such as a minimum requirement for encryption of sensitive data using AES. A standard may go so far as to specify the exact brand, product, or protocol to be implemented.
Baselines are similar to and related to standards. A baseline can be useful for identifying a consistent basis for an organization's security architecture, taking into account system-specific parameters, such as different operating systems. After consistent baselines are established, appropriate standards can be defined across the organization.
Some organizations call their configuration documents standards (and still others call them standard operating environments) instead of baselines. This is a common and acceptable practice.