If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These policies need to be well written to provide the organization with solid guidance to support their security objectives.
Policies function like laws in an organization because they dictate acceptable and unacceptable behavior there, as well as the penalties for failure to comply. Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. They have the same requirements for compliance as policies. Standards may be informal or part of an organizational culture, as in de facto standards. Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy. Figure 4-2 shows the relationships among policies, standards, guidelines, procedures, and practices. This relationship is further examined in the nearby Offline feature.
The meaning of the term security policy depends on the context in which it is used. Governmental agencies view security policy in terms of national security and national policies to deal with foreign states. A security policy can also communicate a credit card agency’s method for processing credit card numbers. In general, a security policy is a set of rules that protects an organization’s assets. An information security policy provides rules for protection of the organization’s information assets.
Management must define three types of security policy, according to Special Publication (SP) 800-14 of the National Institute of Standards and Technology (NIST):
1.Enterprise information security policies
2.Issue-specific security policies
3.Systems-specific security policies
Figure 4-2 Policies, standards, guidelines, and procedures
Several published information security frameworks by government organizations, private organizations, and professional societies supply information on best practices for their members