An Information Security Program is a comprehensive set of policies, procedures, and controls designed to protect the confidentiality, integrity, and availability of an organization’s information assets. The primary goal of an ISP is to manage and mitigate risks to information through the implementation of security measures, ensuring that sensitive data is protected from unauthorized access, disclosure, alteration, and destruction.
Information Security Policies are high-level business rules defining what the organization will do to protect information. Standards are more detailed statements about how the organization will implement the written policies.
Standards provide more detailed requirements for how a policy must be implemented. Standards would, for example, define the number of characters required in a password. Policies, on the other hand, would simply define the need to use a password.
Procedures are specific operational steps or manual methods that workers must follow to implement the goal of the written policies and standards. For example, many information technology departments have specific procedures for performing backups of server hard drives. In this example, a policy could describe the need for backups, for storage off-site, and for safeguarding the backup media. A standard could define the software to be used to perform backups and how to configure this software. A procedure could describe how to use the backup software, the timing for making backups, and other ways that humans interact with the backup system. Policies are intended to last for up to five years, while standards are intended to last only a few years. Standards will need to be changed considerably more often than policies and should be reviewed annually or when changes occur, because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly.