Policies are high level statements of management intent, expectations and direction relating to the protection of information across the business. These are produced and approved by senior leadership at the University.
Standards provide specific low level mandatory controls required to enforce and support the information security policy.
Standards help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients.
Guidelines provide recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.
Procedures provide step by step instructions to assist workers in implementing the various policies, standards and guidelines.
Whilst the policies, standards and guidelines consist of the controls that should be in place, a procedure gets down to specifics, explaining how to implement these controls in a step by step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.