A security program consists of policies. Examples of policies are regulatory, advisory, organizational, issue-specific, and system-specific.
A regulatory policy is highly detailed and specific to a type of industry which is either mandated by federal, state, industry, or contractual requirements.
An advisory policy is highly recommended but not mandatory. May have penalties for failure to comply. You will also notice throughout your career that most policies fall into this category.
An organizational policy comes from executive management and lays out company objectives.
An issue-specific policy concentrates on a specific issue in an organization.
A system-specific policy focuses on the use and maintenance of one system.
Guidelines are recommendations as well, not mandatory such as operational guides, configuration, and actions where standards don’t apply.
Standards are rules that dictate how hardware and software are to be used and the expected behavior of employees. They are specific mandatory requirements that define and support higher-level policies.
Procedures are step-by-step actions to achieve a task. Procedures may include standard operating procedures Procedures and function books.
Cybersecurity Fundamentals 