Documentation descriptions
In order to avoid confusion when referring to documentation associated with the University's Information Security Management System, the following descriptions have been defined:
Policy
A Policy is a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities. Compliance is mandatory and those to who it applies may be held to account for any non-compliance outside the exemption process.
Standard
A Standard is a collection of system-specific or procedural-specific requirements that must be met by everyone working in a particular area or with a given system. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment. Those to whom a Standard applies are accountable for fulfilling the required criterion.
Charter
A Charter is typically a document that specifies the rules under which those undertaking specific tasks covered by the charter are required to work. It sets out the parameters of acceptable working by those who are granted privileged access to facilities or information which requires special handling or controls. For example, you might have a charter that defines who can access certain computer logs and what they can and cannot do with the information that they view. Those to whom a Charter applies are accountable for fulfilling the required criterion.
Guideline
A Guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to Standards, Guidelines and Charters that exist within an organization.
Procedure
A Procedure is typically a document that outlines the sequence of actions or instructions to be followed in solving a problem or accomplishing a task. It is often in the form of or supported by a flowchart which depicts the procedure from start to completion with decisions and options that may need to be considered based upon various circumstances. Adherence to a Procedure may be mandatory or optional depending upon the criticality or objective of the tasks.