The difference between a policy, a standard and a practice is as follow:
Policy: It can be defined as the written instructions that describe proper behavior.
Standard: It can be defined as the detailed statement of what must be done to comply with policy.
Practice: It can be defined as the examples of actions that would comply with policy.
The three types of security policies are:
Enterprise Information Sec. Policy (EISP)
: High level policy that sets the strategic direction, scope, and tone for the organization's security efforts. Use: It is used to support the mission, vision and direction of the organization and sets the strategic direction, scope and tone for all security efforts
Issue Specific Sec. Policy (ISSP)
: An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. Use: It is used to support routine operations and instructs employees on the proper use of these technologies and processes
System Specific Sec. Policy (SysSP): Organizational policies that often function as standards or procedures to be used wen configuring or maintaining systems. SysSPs can be separated into two general groups-managerial guidance and technical specifications- but may be written as a single unified document. Use: It is used as a standard when configuring or maintaining systems.
ISSP policy would be needed to guide the use of the web, email and use of personal use of office equipment.
