Security Policies, Standards and Guidelines

Security Policies, Standards and Guidelines
Name
Institution
Security Policies, Standards and Guidelines
In an effort to protect information or data, businesses have to put in place rules and controls. This protects the information, as well as systems where such data is stored and processed from. These strategies can be accomplished by enactment of security policies, standards, and also guidelines. This paper aims to discuss the differences between these security policies, standards, as well as guidelines and decipher the most important from the three (Johnson & Goetz, 2007).
Policies
An information policy denotes high level statements that focus on protecting data within the business and need to be generated by the senior management. Policies, therefore, refer to universal requirements that have to be written down and given or communicated to specific groups within the organization or sometimes outside the business. A policy is like a business rule that people need to observe. A policy summarizes security roles and duties, has to define the scope of the information that needs protecting, and involves an advanced explanation that have to be implemented in order to secure information. The policy also makes references to all standards and strategies that support it (Peltier, 2001). A business can have only one inclusive policy or different policies that are aimed at different departments such as computer use policy or an email policy. Despite the fact that policies vary from one organization to another, typical policies includes a proclamation of purpose, a narrative of the individuals affected, account of any past revisions, some definitions of terms, and above all specific instructions set by the senior management (Peltier, 2004).
Generally, policies are compulsory and as such can be assumed to mean a business-specific law. A special endorsement has to be given if a staff member or worker wishes to conduct an action that goes against the policy. In essence, because of the compliance that is expected, a policy can make use of definitive terms such as “must not” and “you must.” This means they portray both inevitability and unquestionable support from the management (Joint Task Force Transformation Initiative, 2011).
Standards
Standards refer to definite low-level compulsory controls to help in enforcing the security policy. While policies offer general directions, standards are responsible for precise technical requirements. In reality, standards deal with details like those based on implementation steps, system design perceptions and software interface conditions among other essentials. For instance, standards can define the total secret key minutes, which are needed during encryption algorithm. This is unlike policies that would merely define the requirement of using an accepted encryption procedure at times when sensitive data is passed over public systems or networks like the Internet (Peltier, 2001). While policies are meant to last for five years or more, standards are only intended to be enforced for just a few years. Standards also need to be altered noticeably more often compared to policies since the manual processes, organizational configurations, business procedur...