Security policies, standards, procedures, and guidelines
Policies, standards, procedures, and guidelines form a quartet of organizational mechanisms in protecting information:
- Security policies are high-level statements that provide management intent and direction for information security. They describe the what of the description.
- Security standards provide prescriptive statements, control objectives, and controls for enforcing security policies. In a way, they provide the how of the description. They can be internally developed by the organization and/or published by standard bodies, such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), or country-specific standard bodies.
- Security ...