Sage Advice - Cybersecurity Blog

Elements of an Information Security Policy Hierarchy

information-security-policy-elements.jpgAn Information Security Policy provides the foundation for a successful cybersecurity program that can protect your information, help you prepare for and adapt to changing threat conditions, and withstand and recover rapidly from disruptions. A well-written policy clearly defines guiding principles, provides guidance to those who must make present and future decisions, and serves as an implementation roadmap. Policies are important, but alone they are limited in what they can accomplish. Policies need supporting documents to give them context and meaningful application.

Policy Hierarchy

Standards, baselines, and procedures each play a significant role in ensuring implementation of the governance objectives of a policy. The relationship between these documents is known as the policy hierarchy. In a hierarchy, with the exception of the topmost object, all objects are subordinate to the one above it. In a policy hierarchy, the topmost object is the guiding principle.

Policies reflect the guiding principles and organizational objectives. Standards enable the policies by defining action. Guidelines, procedures, and baselines support the standards. Let’s take a closer look at each of these concepts.


Standards serve as specifications for the implementation of policy and dictate mandatory requirements. For example, a password policy might simply state the following:

  1. All users must have a unique user ID and password that conforms to the company password standard.
  2. Users must not share their password with anyone regardless of title or position.
  3. If a password is suspected to be compromised, it must be reported immediately to the help desk and a new password must be requested.

The password standard would then dictate the required password characteristics, such as the following:

  1. Minimum of eight upper- and lowercase alphanumeric characters
  2. Must include at least one special character
  3. Must not include the user’s name, the company name, or office location
  4. Must not include repeating characters

As you can see, the policy represents expectations that are not necessarily subject to changes in technology, processes, or management. The standard, however, is very specific to the infrastructure. Standards are determined by management, and unlike policies, they are not subject to Board of Directors authorization. Standards can be changed by management as long as they conform to the intent of the policy.


Baselines are an aggregate of implementation standards and security controls for a specific category or grouping, such as platform (i.e., Windows OS), device type (i.e., iPad), ownership (i.e., employee owned), and location (i.e., mobile users). The primary objective of a baseline is uniformity and consistency. An example of a baseline related to the password policy and standard example is the mandate that a specific Active Directory Group Policy configuration be used on all Windows devices to technically enforce security requirements.

In this example, by applying the same Active Directory Group Policy to all Windows workstations and servers, the standard was implemented throughout the organization. In this case, there is also assurance that new devices will be configured accordingly.


Guidelines are best thought of as a teaching tool. The objective of a guideline is to help people conform to a standard. In addition to using softer language than standards, guidelines are customized for the intended audience and are not mandatory. Guidelines are akin to suggestions or advice.

A guideline related to the password standard in the previous example might read like this: A good way to create a strong password is to think of a phrase, song title, or other group of words that is easy to remember, i.e., ‘Up and at ‘em at 7!’.  Then convert it into a password like this: up&atm@7!. You can create many passwords from this one phrase by changing the number, moving the symbols, or changing the punctuation mark.


Procedures are instructions for how a policy, standard, baseline, and guidelines are carried out in a given situation. Procedures focus on actions or steps, with a specific starting and ending point. There are four commonly used procedure formats:

  1. Simple step – Lists sequential actions. There is no decision making.
  2. Hierarchical – Includes both generalized instructions for experienced users and detailed instructions for novices.
  3. Graphic – This format uses either pictures or symbols to illustrate the step.
  4. Flowchart – Used when a decision-making process is associated with the task.

In keeping with our previous password example, let’s take a look at a Simple Step procedure for changing a user’s Windows password:

  1. Press and hold the Ctrl+Alt+Delete keys.
  2. Click the Change Password option.
  3. Type your current password in the top box.
  4. Type your new password in both the second and third boxes. If the passwords don’t match, you will be prompted to reenter your new password.
  5. Click OK and then log in with your new password.

Plans and Programs

The function of a plan is to provide strategic and tactical instructions and guidance on how to execute an initiative or how to respond to a situation, within a certain timeframe, usually with defined stages and with designated resources. Plans are sometimes referred to as programs. Here are some examples of information security-related plans:

  • Vendor Management Plan
  • Incident Response Plan
  • Business Continuity Plan
  • Disaster Recovery Plan

Policies and plans are closely related. For example, an Incident Response Policy will generally include the requirement to publish, maintain, and test an Incident Response Plan. Conversely, the Incident Response Plan gets it authority from the policy. Quite often, the policy will be included in the plan document.

Want to learn more about information security policy? Read Seven Characteristics of a Successful Information Security Policy.

Building a Foundation for Cyber Resilience

Tyler can help with the development of your policy – or even assess your current one. Our methodology is collaborative in nature, and we work with your management and staff to incorporate existing documents and practices, as well as, develop new Policies, Standards, and Agreements where necessary.

Learn More

Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.

Topics: Security Policy

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More