The following terms may be familiar, but they can be used incorrectly. Many of these will be referred to as “policies,” even if that’s not what they truly represent. Having a better understanding of these terms enables your organization to create better governance documentation.
Principle
This is the highest level of ideas and values that serves as a guide or foundation for decision-making. For example, the core principles of information security related to the utilization, flow and storage of information include confidentiality, integrity and availability, which is commonly referred to as the CIA triad. If a principle is going to be adopted by an organization, it would typically be approved by a board of directors.
Policy
A formal, mandatory statement used to reflect business or information security program objectives and govern enterprise behavior is the definition of a policy. The policy should be not be too detailed to ensure that it can withstand the test of time, as well as changes in technology, processes, or management. To ensure the policy stays relevant, it should be reviewed and updated on an annual basis. It should not dictate how to accomplish something but rather provide a framework for what should be completed. For example, an access management policy may include a phrase on requiring user authentication credentials for all company-owned devices/desktops/servers/systems in order to protect information, networks and systems from unauthorized access.
Standard
This is used as a specification to follow when applying policies and may dictate mandatory requirements. A standard may indicate expected user behavior, be very specific to hardware or software, or describe actions, rules, controls, or configuration settings. The goal is to make the policy to which the standard relates more meaningful and effective. For example, an access management standard may have a phrase related to the fact that user IDs may not be shared or transferred to other users. Keep in mind that standards need to be enforced to be effective.
Guideline
A guideline is a suggested course of action designed to achieve standard or policy objectives. It is not mandatory and should provide flexibility for individual situations. This could be used in circumstances where rigid requirements can’t be met, specific standards do not apply, or requirements need to be customized for a specific audience or circumstance. For example, security guidelines may be established to protect against malware, such as scanning all attachments and downloads.
Baseline
This is a set of fundamental rules that provides direction for specific implementation or configuration standards. They may be specific to a platform, system, network, or device type, and the goal is to be uniform and consistent. A baseline may also be mapped to industry standards and controls. For example, an organization may create a baseline for Linux server operating systems, such as multi-factor authentication being enabled.
When creating any of these documents, the bottom line is that they need to be easy to understand and able to be implemented. Having too many of these documents can become confusing, so an organization should be selective when determining which kind of documentation will be useful. Hopefully, having a better understanding of these terms will allow the organization to craft governance documentation that lessens confusion and decreases inefficiencies.