Security policies should include industry standards, procedures, and guidelines, which are necessary to support information risks in daily operations.

These policies must also have a well-defined scope. The foundation of the security policy should be based on the security triad (confidentiality, integrity, and availability). Ultimately, the users are required to protect and ensure the applicability of the security triad in the data and systems, which is independent of how that data was created, shared, or stored. Users must be aware of their responsibilities, and the consequences of violating these policies. Make sure that you also include a section that specifies the roles and responsibilities, since this is very important for accountability purposes.

Policy: This is the basis of everything; it sets high-level expectations. It will also be used to guide decisions and achieve outcomes.

Procedure: As the name suggests, this is a document that has procedural steps that outline how something must be done.

Standard: This document establishes requirements that must be followed. In other words, everyone must comply with certain standards that were previously established.

Guidelines: Although many would argue that guidelines are optional, they are in fact more additional recommended guidance. Having said that, it is important to note that each company has the freedom to define whether the guidelines are optional, or if they are recommended.

Best practices: As the name says, these are best practices to be implemented by the entire company, or just some departments within the company. This can also be established per role—for example, all web servers should have security

MIT License & cc license

This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.