Information Security Policies, Standards, Procedures

By | November 19, 2016
Policies & Procedures

Policies, Standards, Procedures – Information Security Governance Documents

Information Security Governance documents consist of Policies, Standards, and Procedures.

  • Policies are top-level governance documents that inform the organization of executive management’s information security direction and goals.
  • Standards are just below policies and define the activities and actions as baselines needed to meet policy goals.
  • Procedures are the lowest level documents and provide direction on how to meet security directives and activities, example; a step-by-step checklist (Grama, 2015, pg.398-399).

Examples of common security policies include: Internet Usage policy, Email Usage Policy, and a Password Policy.

A Security Policy typically contains the following elements:

  • Overview that explains the elements of the policy and what it covers in broad terms.
  • Purpose statement that provides a definition of appropriate use of internet services in an organization.
  • Scope statement that specifies what elements are covered by the policy, and who it applies to.
  • Policy. This can include elements such as resource usage, allowed usage, and personal usage. Additional elements could include for example prohibited and allowed usage of the internet.
  • Policy compliance.
  • Related standards and policies.

Other elements contained in policies of this nature often include: publically accessible internet connected information, monitoring, confidentiality, company image, company materials, and web site creation using organization assets (SANS internet policy, 2013).

The University of Georgia provides a password policy with the following elements:

  • Overview.
  • Objective / Purpose.
  • Scope.
  • Policy standard which includes the following elements:
    • Minimum Password Length.
    • Password Composition.
    •  Password Management.
    • Password Storage.
    • Password Aging.
    • Password Reuse.
    • Password Sharing and Transfer.

Other elements of the policy include: Electronic Transmission, Password Requirements for System Administrators and Developers, Enforcement, and Exceptions (University of Georgia Password Standard, n.d.).



Grama, J. L. (2015). Legal issues in information security (2nd ed.). Boston, MA: Jones & Bartlett Learning.

SANS internet policy. (2013). Internet usage Policy. Retrieved June 14, 2016, from

University of Georgia Password Standard. (n.d.). Password Policy. Retrieved June 14, 2016, from



5 thoughts on “Information Security Policies, Standards, Procedures

  1. Pingback: Implementing Security Policies in Flat and Hierarchical Management Structures - Zymitry

  2. Pingback: Information System Acceptable Use Policy (AUP) - Zymitry

  3. Pingback: Framework and Policy Development Team - Zymitry

  4. Pingback: Security Policy Template for Hand-Held Devices - Zymitry

  5. Pingback: Security Policy Example - Remote Access - Zymitry

Leave a Reply