1 CHAPTER 1 | Information Systems Security Policy Management 13 Information Systems Security Policy Management A policy is a document that states how the organization is to perform. It describes how to conduct business functions and transactions with a desired outcome. It sets the stage for secure control of information. It is the "who does what to whom and when" document. It should reflect what leadership commitments are to protecting information. A procedure is a written statement describing the steps required to implement a process. Remember that procedures NOTE support policies and standards. Procedures describe how to A policy is often approved accomplish specific tasks. A more detailed procedure produces by the most senior levels a more error-free result. of management. A procedure A guideline sets the parameters within which a policy, or guideline is often approved standard, or procedure can be used. A guideline is optional. by lower-level management It is a policy-support document. Similar to procedures, guidelines responsible for the implementation of policies. help businesses operate more smoothly. They are not as rigid. How Policies and Standards Differ Now that you know what policies are, let's discuss the difference between policies and standards. Policies implement controls on a system to make it compliant to a standard. Standards influence the creation of policies. Standards often determine a minimum