Assessment
Policies, standards, and procedures are an integral part of your cybersecurity program. These policy documents are used to lay the foundation of how you intend to run your cybersecurity program. From information security to asset management and software development, policies are used to document how you run certain programs for your organization.
Policies are meant to be high-level documents used to describe your intent to implement security controls. These documents should be written in such a way that you can freely distribute them or put them on a public site without fear of giving away too much information. The intent is to be able to distribute the documents without the need for an NDA to be in place between the organization and the customer or third-party vendor.
A standard is a document used to describe the what of the intent. For example, a standard for encryption should have the appropriate encryption algorithms and bit strengths to be used. This document...
