Policies,

Standards,
Guidelines and
Procedures
The Security Leader’s Communication Playbook;
Bridging the Gap between Security and the Business

Pamela Joy B. Nandu, PA 221 B

 Are the cornerstone of an
effective security program.

Policy, They are the “rule books”

Standards, and governing documents

of the program to get
Guidelines and everyone on the same page.

Procedures A policy or standard

conveys management’s
view or intention on rules
or actions that are expected
of everyone in your
organization.
Policy and Standards Hierarchy
Outlines roles, responsibilities and
expectations. Policies are
enforceable and mandatory.
Policy
Offers the nitty-gritty “how to”
achieve the directives captured in
policies. It gives a specific direction.
Standards
Are detailed step-by-step
instruction. It provide people with a
Procedures repeatable and predictable process.

Are recommendation and are

typically not mandatory to follow.
Guidelines
Document
your Security
Program
Auditor look for processes that
will assure them that appropriate
controls are in place to ensure the
integrity, accuracy or privacy of
the data being examined.
Critical processes of all kinds need to be
documented. Therefore, it is vital that the
processes documentation is to-date and
matches the actions actually perform.
When writing policies and standards,
templates are very effective and help you
get past that initial blank page very
quickly. SEED FUNDING
Policies should provide information
security direction for your organization,
include information on how you will
meet business, SERIES A FUNDING
contractual, legal or
regulatory requirements and contain a
commitment to continually improve.
Writing a Policy or
Standard

• Keep everything a • Consider the audience • If you have a

reader friendly. and whether the communication
• A policy or policy is written as team, it might help
standard shouldn’t clearly and simple as if they could review
read like a contract possible from the a draft before it
readers’ perspective published.
Guide templates in
1) Overview
writing a policy and
2) Purpose
standards: 3) Scope and audience
4) Background information
5) Terminology
6) Contacts
7) Exceptions
8) Non-compliance
9) Review cycle
10) Revision history
 WAVE'S END SWIMWEAR
THE POLICY AND STANDARDS LIFECYLE
• Policies and standards are living documents that have
their own lifecycle. The lifecycle of a policy can be broken
down into five (5) phases:

MAINTENANCE

IMPLEMENTATION

PUBLISHING
DEVELOPMENT
INITIATION
 INITIATION DEVELOPMENT PUBLISING IMPLEMENTATION MAINTENANCE

1. Update and revise

1. Identify the need 1. Draft the initial
1. Post and announce the policy based on
for new or updated policy document. 1. Publish your policy changes in laws,
policy/guidance. portal, SharePoint or the document to your
2. Distribute it to the regulation or best
website employees.
2. Determine smaller group for practices which would
document type. review and input. 2. Conduct awareness require new or updated
activities. guidance.
3. Identify 3. Incorporate their
sponsorship, feedback. 3. Initiate project close 2. Retire policies that
control gaps. are no longer
stakeholders, subject 4. Distribute to a larger
matter experts and group larger group for necessary.
working group review and input.
members. 5. Send the final draft
4. Develop a high level out
implementation 6. Review and
analysis. incorporate feedback.
5. Obtain agreement 7. Present the final
to proceed with draft document.
policy. 8. Determine the
6. Prioritize and effectivity date of the
schedule the work. policy.