Security policies and standards
Enterprise policies and standards are meant to be the written law on how to implement, use, and monitor a technology, process, and other HR and legal scope items. For the purposes of the book, we will focus on IT policies and standards. These "laws" also serve as a warning to consequences if there is a violation of the policy. For instance, an employee cell phone policy may be created in response to the business request to use personal phones for business. However, with the ability to use a personal cell phone, there may be restrictions on using the "smart" features to access enterprise data, or a requirement to load a mobile device management application on the cell phone. The standard in this scenario may be a requirement of a certain smart phone operating system type and version level. This may be driven by management and security capabilities of the platform.
Policy versus standard
These two document types are different and commonly confused. In an effort...
