Policies
Organizations all too often will combine a policy with a standard or procedure. This can be troublesome when you are trying to provide the correct information, especially during an audit. A policy is an overarching document that supplies the intent of implementing a control or control family. Policies are high-level documents used to establish governance with the intention of implementing administrative, technical, and physical controls used to reduce organizational risk.
Policies should not go into detail about the configurations or processes that an employee or a piece of technology should use. This is the job of standards and procedures. Policies are high level, meaning that you should write the document in such a way that you are not giving away too much information.
As previously stated, policies state the intent of doing or performing a particular task. For example, if you intend to place smart card readers at each of your ingress/egress points to a building, this...
