Policy, Standard, and Practice in IT Security

Knowing essential differences between levels of security awareness.

Feb 22, 2009

Being able to distinguish between security policies, standards, and best practices in an organization is a must for the evolving field of information security.

A security policy is a document “that states in writing how a company plans to protect the company’s physical information and technology (IT) assets” (“Security Policy”). Such a policy is usually deemed to be an ongoing effort that has no end. Rather it is periodically amended to reflect changes in the organization.

Aspects of a standard security policy might include “an acceptable use policy, a description of how the company plans to educate its employees . . . an explanation of how security measurements will be carried out . . . and a procedure for evaluating the effectiveness of the security policy” (“Security Policy”).

Security Standards and Their Criteria

A security standard is an objective set of criteria designed to maintain a certain level of security. One such standard is ISO 27001, which offers vendors and customers concrete assurances that an organization takes information security and risk management seriously. Standards are defined as “more detailed statements of what must be done to comply with policies” (Whitman and Mattord 174). However, the meaning of an IT security standard and policy will be context-dependent.

A (best) security practice is a “technique or methodology that, through experience and research, has proven to reliably lead to a desired result” (“Best Practice”). A commitment to using best practices in IT security means an organization is dedicated to using every bit of knowledge and technology it can to ensure confidentiality, integrity, and accessibility of data.

Information on particular best practices can be found “a number of published information security frameworks, such as those from government organizations as well as those from private organizations and professional societies” (Whitman and Mattord 234). The three types of security policies are labeled: general/security program policy, issue-specific security policy, or system-specific security policy.

Security Policies Provide Essential Support

A general security policy may be called an Enterprise Information Security Policy (EISP), an IT security policy, or an information security policy. Such a policy “is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts” (Whitman and Mattord 175). It would be used to address two specific areas: general program compliance and the application of discipline and punishment.

An issue-specific security policy is one that provides guidelines in order to teach employees how to use “various technologies and processes to support routine operations” (Whitman and Mattord 176). The issue-specific security policy ensures compliance with specific technological components, needs to be updated frequently, and may contain the organization’s views on a particular issue.

The System-specific security policy is a set of “codified . . . standards and procedures to be used when configuring or maintaining systems” (Whitman and Mattord 179). Such a security policy would be employed to define access to particular users or levels of security within a system. With the increased convergence of non-physical data networks and physical risk-prevention resources, understanding these levels of focus will increase and ensure asset protection on all levels.

Whitman, M., & Mattord. (2004). Principles of Information Security. Boston: Course Technology, 2009.

The copyright of the article Policy, Standard, and Practice in IT Security in Internet Security is owned by Michael Davis. Permission to republish Policy, Standard, and Practice in IT Security in print or online must be granted by the author in writing.