Policy Hierarchy

Policy Hierarchy Explained

Policies:  Think of information security policies as the specifications or goals of the various aspects of the security program.  Policies should specify what is being protected, who is accountable, but not HOW the specified tasks are performed.


Standards:  Standards define mandatory and minimum mechanisms associated with specific policies (e.g. remediation timelines).

Guidelines:  These are authoritative methodologies and recommendations (e.g. password hygiene).


Statements: Information Security Statements are written reports outlining our position, attitude, and intentions regarding a particular cyber security matter. These are sometimes refered to as 'position papers'.


Baselines:  Baselines represent measurable/verifiable minimum levels of security (e.g. configurations).

Procedures:  Describe exactly HOW to implement policies and standards/baselines (e.g. incident response, access control).  Usually procedures are documented as Standard Operating Procedures (SOP's).


Updated: March 18, 2021

© 2005 - 2024 ProProfs