Security Terminology
Information security (Infosec) terms are used in varying ways by both security and non-security professionals. It's interesting how many of these terms are used loosely to mean the same thing.
I came across a set of documents recently about security policy, process and standard; this has made me to attempt to clarify these terms in my own understanding. Hence, the table below is an attempt to provide some distinction among these terms.
Policy
A policy is a plan of action based on principle decided by a body/organisation/individual.
A policy outlines requirements, rules or expectations that must be met.
Different types of policies:
Corporate Policy – is a high-level (strategic) plan of actions, rules or requirements. It’s the foundation on which the business operates. It should be broad, concise and applicable. It should not include detailed specific actions, requirements and procedures required for every area of the business.
For example:
• Information Assurance Policy.
• Corporate Security Policy
System-specific Policy – is a detailed plan of action or requirement covering a specific task.
Examples include:
• Antivirus Policy
• Firewall Policy
Procedure-specific Policy – is a detailed specific requirement or rule expected of people who work in a particular organisation.
Examples include:
• Acceptable Use Policy (AUP)
• Identity Card (ID) Policy
• Clean Desk Policy
Standard
A standard is a collection of policies (system-specific and procedure-specific policies) that governs people/bodies/organisations.
Different types of standards:
Organisation Standard - organisation-wide standard that governs everyone who work for that organisation. This may include its delivery patterns.
For example:
• Organisation standard for Encryption
Technology Standard – technology-specific standard that has been approved by industry consortiums or industry standard’s group.
For example:
• IEEE 801.11 - Wireless LAN Standard
Industry Standard – industry-wide standard that governs a particular industry.
For example:
• PCI DSS standard that governs credit card handling industries
Worldwide Standard – standards that have been approved by international standards’ organisation.
For example:
• ISO 270001 (British Standard),
• ISO15408 (Common Criteria)
Process
A process is a series of operations (series of stages) required to complete a task. For example, the series of stages which a product passes resulting to the development of it.
A process is a series of actions that is required to complete a task.
For example:
• Operating System Rollout Process
• Forensic Readiness Process
• Incident Handling Process
Guideline
A guideline is a recommendation of best practice. It is not a requirement to be enforced, but must be recommended based on best practice.
For example:
• How to create a strong password guideline (should contain alphanumerical characters, mix of upper and lower cases, etc)
Procedure
A procedure is a step-by-step working instruction on how to complete a specific task, action or activity. A procedure can be perceived to be synonymous to a working instruction.
For example:
• Audit Log Procedure
• Data Backup Procedure
Working Instruction
A working instruction is a task-specific guideline on how to carry out an action, task or activity.
I came across a set of documents recently about security policy, process and standard; this has made me to attempt to clarify these terms in my own understanding. Hence, the table below is an attempt to provide some distinction among these terms.
Policy
A policy is a plan of action based on principle decided by a body/organisation/individual.
A policy outlines requirements, rules or expectations that must be met.
Different types of policies:
Corporate Policy – is a high-level (strategic) plan of actions, rules or requirements. It’s the foundation on which the business operates. It should be broad, concise and applicable. It should not include detailed specific actions, requirements and procedures required for every area of the business.
For example:
• Information Assurance Policy.
• Corporate Security Policy
System-specific Policy – is a detailed plan of action or requirement covering a specific task.
Examples include:
• Antivirus Policy
• Firewall Policy
Procedure-specific Policy – is a detailed specific requirement or rule expected of people who work in a particular organisation.
Examples include:
• Acceptable Use Policy (AUP)
• Identity Card (ID) Policy
• Clean Desk Policy
Standard
A standard is a collection of policies (system-specific and procedure-specific policies) that governs people/bodies/organisations.
Different types of standards:
Organisation Standard - organisation-wide standard that governs everyone who work for that organisation. This may include its delivery patterns.
For example:
• Organisation standard for Encryption
Technology Standard – technology-specific standard that has been approved by industry consortiums or industry standard’s group.
For example:
• IEEE 801.11 - Wireless LAN Standard
Industry Standard – industry-wide standard that governs a particular industry.
For example:
• PCI DSS standard that governs credit card handling industries
Worldwide Standard – standards that have been approved by international standards’ organisation.
For example:
• ISO 270001 (British Standard),
• ISO15408 (Common Criteria)
Process
A process is a series of operations (series of stages) required to complete a task. For example, the series of stages which a product passes resulting to the development of it.
A process is a series of actions that is required to complete a task.
For example:
• Operating System Rollout Process
• Forensic Readiness Process
• Incident Handling Process
Guideline
A guideline is a recommendation of best practice. It is not a requirement to be enforced, but must be recommended based on best practice.
For example:
• How to create a strong password guideline (should contain alphanumerical characters, mix of upper and lower cases, etc)
Procedure
A procedure is a step-by-step working instruction on how to complete a specific task, action or activity. A procedure can be perceived to be synonymous to a working instruction.
For example:
• Audit Log Procedure
• Data Backup Procedure
Working Instruction
A working instruction is a task-specific guideline on how to carry out an action, task or activity.
posted by Cyril at 9:32 PM
0 Comments:
Post a Comment
<< Home