Nate Howe
December 20, 2023
There are many reasons for an organization to create, maintain, and communicate documentation about its operations. These promote consistent service delivery over time and promote a culture of risk reduction and compliance with applicable requirements. In fact, anyone who has experienced an audit of their area is familiar with the process of sharing documentation that will be reviewed by the audit team.
Below, we detail the most common document types governing an organization. These are certainly used within the information security space, though they can be generally applied to many aspects of an organization.
Even with the best of intentions, colleagues sometimes use these terms interchangeably, despite there being distinct differences for each document type. Some organizations even combine the distinct concepts into a single document, though best practices suggest that separate documents help connect audiences to relevant material and make updates more manageable.
A policy contains general management statements that set expectations applicable to all stakeholders in the organization, helping the reader understand “why” certain requirements are in effect. For example, when someone is curious why the Information Security Office (ISO) blocked network access for a system believed to be at high risk of compromise by malware, they can reference the relevant policy document to understand the authority associated with such action.
Organizations vary in terms of how policy is established and formalized, but it is common for universities to leverage a collaborative drafting process and require approval of a policy via committee. The organization’s values, roles and responsibilities, and consequences for non-compliance may all be explained within a policy. Once published, policy statements remain valid over the long term, often relevant for many years, and there could be discipline and even termination for those who do not comply.
Information security topics are documented in the following UT Dallas policy: http://policy.utdallas.edu/utdbp3096
A standard is set of prescribed practices or configurations associated with a particular technology, product category, or area of control, aimed at helping the reader understand “when” they need to act and “what” they need to do. For example, when someone installs a new computer on campus, they can reference standards documents as guidance, and check which conditions apply to their newly installed solution.
As technologies emerge that will be used at the university, standards may be created and updated by subject matter experts who are given the authority, through policy, to publish such standards. For example, the UT Dallas policy, UTDBP3096, defines the following:
Information Security Standards: Documented controls specified for specific technology components which, when implemented, reduce risk of compromise (e.g. change default passwords, disable unnecessary services, apply current compatible patches, include in backup scheme)
Based on this definition, the ISO collaborates with campus stakeholders to publish various standards on specific topics that change frequently. While UT Dallas depends on several IT units within schools to configure and support IT equipment locally, standards provide a common instrument for protecting IT consistently, so the same objectives can be achieved by multiple teams.
The ISO currently offers several “Standards Documents” on topics such as Cloud Services, Data Storage, and Servers. These documents are linked on the following page: https://infosecurity.utdallas.edu/resources/
Procedures are instructions that describe how to do a specific task, helping the reader to understand “who” should perform the task and “how” they should perform it. For example, when someone needs to turn off a critical computer system, they can reference the procedure documents to safely do so without unnecessary outages.
Procedures may be established for organization-wide consumption or set within individual schools and departments to promote consistent and successful operations of their specialized areas. Procedures often harmonize with policy and/or standards, outlining specifically how to accomplish compliance with those requirements through a series of steps. In the context of information security, procedures may describe settings and commands within a product that accomplish beneficial risk reduction.
Here is a link to a procedure for requesting access to certain data. It informs the reader about how to operate within the organization: https://infosecurity.utdallas.edu/files/2023/01/Process_UserData.pdf
A guideline is set of recommended practices or configurations associated with a particular technology category, or area of control, and is aimed at helping the reader build awareness or leverage institutional learning. For example, when a UT Dallas employee wants to know how to keep their personal home router secure from cyberattacks, they can reference guidelines to learn how to activate enhanced protections.
Guidelines can be created for the whole organization or for individual schools and departments to promote consistent and successful operations. Though not enforceable like policies and standards, guidelines do resemble standards because they may specify controls or settings. The guideline promotes a culture of risk reduction by educating stakeholders about best practices.
The following article offered by the ISO could be considered a guideline when referring to use of personal equipment while telecommuting: https://infosecurity.utdallas.edu/cyber-commuting-101-tips-checklist/
We often get questions in the ISO such as, “What do we need to do to comply?” Such questions are welcomed, but not easy to answer. Fully complying with all requirements is a complex task which involves many factors, such as national and state laws, UT System Administration requirements, business partner contractual requirements, and local policies, standards, and procedures. Further, the ethical operation of an organization depends on considering our shared values and reputation in the community, because the appropriate measures to respond to emerging risks may not be yet captured in any documentation.
The terms above are not unique to UT Dallas; many universities and industries create such documents, though interpretation sometimes differs slightly. Additional terms, such as baselines, processes, and frameworks, are also considered among governance documents. For more information, see these websites:
https://it.utexas.edu/policies
https://infosec.uthscsa.edu/policies-standards-guidelines
https://policies.vt.edu/policiespyramidnew.pdf
https://development.policy.wisc.edu/2022/06/01/is-it-a-policy-procedure-or-guideline/
https://security.calpoly.edu/content/policies/index