What is the difference between security policies, standards and procedures?

Sometimes the nomenclature used to define information security policies and related documentation can be confusing.  Much of that confusion comes from the fact that the information security industry often uses these terms interchangeably.   At Information Shield, we adopt the following definitions that have proven effective over the years:

Information Security Policies are high-level business rules defining how the organization will protect information.  Standards are more detailed statements about how the organization will implement the written policies. Here is an example using protection of information during transit:

Sample Policy: All information transmitted over public networks must be encrypted according to Standards developed by the Information Security Department.

Standards provide more detailed requirements for how a policy must be implemented. Standards, for example, would define the number of secret key bits that are required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet.

Sample Standard: All symmetric encryption algorithms must employ key lengths of at least 256 bits.

Procedures are specific operational steps or manual methods that workers must follow to implement the goal of the written policies and standards.  For example, many information technology departments have specific procedures for performing backups of server hard drives. In this example, a policy could describe the need for backups, for storage off-site, and for safeguarding the backup media. A standard could define the software to be used to perform backups and how to configure this software. A procedure could describe how to use the backup software, the timing for making backups, and other ways that humans interact with the backup system.

Policies are intended to last for up to five years, while standards are intended to last only a few years. Standards and procedures will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly.

For example, a network security standard might specify that all new or substantially modified systems must be in compliance with International Standards Organization (ISO) standard X.509, which involves authentication of a secure communications channel through public key cryptography. This standard is likely to be revised, expanded, or replaced in the next few years.

Adopting an organized hierarchy of policies, standards and procedures can dramatically improve the effectiveness of your information security program. This structure is what Information Shield uses within our ComplianceShield policy subscription product.