Security Standards
The concept of “security standards” can be answered in one of two ways, since there are two distinct meanings (one being correct and the other incorrect). Unfortunately, “security standards” falls in the common word crimes scenario since it is often used improperly. Using proper definitions helps avoid confusing scenarios such as trying to describe a “football bat” which is not a thing.
Proper use of “security standards” relates to formalized, measurable rules that provide granular requirements to implement policies. Standards ensure uniform compliance across systems and exceptions must be formally justified (unlike policies, which typically have no exceptions).
Where a policy states “protect data,” a security standard specifies organization-specific requirements like encryption level, password strength, system configurations, or patch timelines. Examples include:
- Password standard: 8+ characters, complexity rules, ROT every 90 days;
- Configuration standard: disabled unnecessary services, secure baseline per CIS or DISA STIG; and
- Encryption standard: TLS 1.2+ with AES-256 and FIPS-validated modules.
Improper use of “security standards” relates to common cybersecurity frameworks (e.g., SCF, NIST CSF, ISO 27001, NIST 800-53, etc.). This use of the term is focused on a “security framework” which is a basic structure underlying a system, concept, or text.