Policies vs Standards

What is the difference between a policy and a standard? The differences are:

• 1.Granularity / specificity of requirements; and
• 2.Scope.

A policy is a high-level statement of management’s intent that formally establishes requirements to guide decisions and has strategic implications for the entire organization. Policies are intended to come from the CEO or board of directors. A few policy examples are:

• EXAMPLE COMPANY shall ensure all technology platforms used in support of its business operations adhere with industry recognized secure configuration management practices. Current and accurate inventories of technology platforms shall be maintained so applicable secure configuration settings can be enforced on those technology platforms; or
• EXAMPLE COMPANY shall achieve and maintain situational awareness through comprehensive and ongoing monitoring activities to help ensure the security and resilience of its technology infrastructure against both physical and cyber threats. Technology assets shall be configured according to secure configuration management requirements to enable the capture of relevant security event logs. A centralized log analysis capability shall be used to identify anomalous behavior and support incident response operations so that appropriate steps can be taken to remediate potential incidents.

A standard is a formally established requirement regarding a process, action or configuration that is meant to be an objective or quantifiable expectation to be met. Standards are granular, clear requirements that support policies. A few standards examples are:

• EXAMPLE COMPANY utilizes the “principle of least privilege,” which states that only the minimum access and functionality necessary to perform an operation should be granted and only for the minimum amount of time necessary. Asset custodians are required to:
  • Identify and remove insecure services, protocols and ports;
  • Enable only necessary and secure services, protocols and daemons, as required for the function of the system;
  • Implement security features for any required services, protocols or daemons that are considered to be insecure (e.g., NetBIOS, Telnet, FTP, etc.);
  • Verify services, protocols and ports are documented and properly implemented by examining device settings; and
  • Remove all unnecessary functionality, such as:
    • Scripts;
    • Drivers;
    • Features;
    • Subsystems;
    • File systems; and
    • Unnecessary web servers.
• Asset custodians are required to configure all systems, devices and applications to implement automated audit trails for all system components and automatically forward security-related event logs to a centralized log collector or Security Incident Event Management (SIEM) solution to allow EXAMPLE COMPANY security personnel to reconstruct the following events:
  • All individual user accesses to sensitive data (e.g., payment card data, SSNs, financial accounts, etc.);
  • All actions taken by any individual with root or administrative privileges;
  • Access to all audit trails;
  • Invalid logical access attempts;
  • Use of and changes to identification and authentication mechanisms, including but not limited to:
    • Creation of new accounts and elevation of privileges; and
    • All changes, additions or deletions to accounts with root or administrative privileges;
  • Initialization, stopping or pausing of the audit logs; and
  • Creation and deletion of system-level objects.

If you would like to learn more about policies & standards, you can read more about it here - https://complianceforge.com/grc/policy-vs-standard-vs-control-vs-procedure.

You can also find additional information about policies, control objectives, guidelines, controls, procedures & metrics with examples here - https://complianceforge.com/content/pdf/complianceforge-cybersecurity-documentation-template-examples.pdf.