Question

What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?

Answer 1

• The difference between a policy, a standard and a practice is as follow:

1. Policy: It can be defined as the written instructions that describe proper behavior.
2. Standard: It can be defined as the detailed statement of what must be done to comply with policy.
3. Practice: It can be defined as the examples of actions that would comply with policy.

• The three types of security policies are:

• Enterprise Information Sec. Policy (EISP) : High level policy that sets the strategic direction, scope, and tone for the organization's security efforts. Use: It is used to support the mission, vision and direction of the organization and sets the strategic direction, scope and tone for all security efforts

• Issue Specific Sec. Policy (ISSP) : An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. Use: It is used to support routine operations and instructs employees on the proper use of these technologies and processes

• System Specific Sec. Policy (SysSP): Organizational policies that often function as standards or procedures to be used wen configuring or maintaining systems. SysSPs can be separated into two general groups-managerial guidance and technical specifications- but may be written as a single unified document. Use: It is used as a standard when configuring or maintaining systems.
• ISSP policy would be needed to guide the use of the web, email and use of personal use of office equipment.