Security Policies in an organization’s security system are divided into two broad categories:
1. Management’s Security Policy (or Organizational Policy)
This is the high level security policy of the whole organization. It provides management’s security goals and objectives in writing. It documents compliance and creates a security culture within the company. It establishes also the security activity/function, and holds individuals personally responsible for any security breaches.
2. Functional Implementing Policies
The functional policies are guided by the high level organization policy, and are used to actually implement the goals and objectives of the general organization policy. Examples of functional policies are:
- Data Classification
- Access Control Policy
- Remote Access Policy
- Internet and Acceptable use policy
- Privacy policy
From functional policies come the supporting elements which are:
- Standards
- Procedures
- Baselines
- Guidelines
Standards
These are common solutions for the whole organization regarding common hardware and software mechanisms and products used to enforce and establish a secure environment.
Procedures
Procedures, like policies, are considered to be MANDATORY requirements is a security system. Procedures are step-by-step written actions to be performed to accomplish a security requirement or objective. Examples of procedures are password changing, incident response, Business Continuity procedures etc. Procedures can be helpful to reduce mistakes in a crisis and ensure that important steps are not missed.
Baselines
These are the minimum level of security configuration that can be carried across multiple implementations of the systems and on many different products. Baselines are descriptions of how to implement security mechanisms to ensure that implementations result in a consistent level of security throught the organization.
Guidelines
Examples of guidelines are ISO17799, Common Criteria, ITIL.
Guidelines are recommendations for security product implementations, procurement, planning etc. They are white papers, best practices etc.