Polcies and Standards

Is it a Policy, a Standard or a Guideline?


A policy is typically a document that outlines specific requirements or rules that must be met. In the information security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.  Our team will ensure that policies and standards are defined to address and protect the areas that are important from the security strategy.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows workstation on an external network segment. In addition, a standard can be a technology selection, e.g. XYZ company uses 256Kbit key sizes for encryption.  Our team will ensure that appropriate standards are defined where necessary.

A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Our team will ensure that policies make frequent references to standards and guidelines that exist within an organization.