What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?

Question

I'm currently working on the definitions-section of a paper. Therefore I have to define the term "Guideline" and how its relationship to other terms (Standards, Policies, Procedures) looks like.

However, all I can find are some definitions that somehow contradict each other. e.g

1. Guidelines usually provide a general overview, and may be used in situations where no specific policy or standard applies.

2. A guideline is a statement in a procedure or policy that determines a specific route or course of action.

3. Sometimes security cannot be described as a standard or set as a baseline, but some guidance is necessary. These are areas where recommendations are created as guidelines to the user community as a reference to proper security.

4. Guidelines are more general statements about things that should be done to realize the policy. They are designed to support standards or serve as a reference for policies

5. Still, guidelines are an important part of business processes. They help employees know how to act in situations where they’re not sure how a standard or policy applies.

On one hand it is stated that they take action when no policies or standards are in place (1 & 3 & 5). On the other hand they are used to guide policies and standards (2 & 4). So I don't really get the main idea of guidelines.

Could anyone clarify how guidelines are used in practice?

Answer 1

Welcome to the quagmire of documentation terminologies!

In short, there is no single standard way that documents are named and labeled. It is best to pick a set of definitions, either from an established framework (NIST, ISO 27000, etc.) or define the terms in your organisation (and stick to it!)

I have worked in a number of organisations and when the topic of "what do I call this security document?" comes up, everyone sighs and rolls their eyes. In practice, everyone has an opinion, and each organisation does it differently. The (series of) meetings about what to call things can be lengthy indeed for what should be a simple process ("'policy' seems like such a stuffy and unfriendly term!").

What complicates it all the more is when you need to combine different types of documents into a single document so that "we don't have dozens of different 1-page documents that no one will read".

In general, a guideline document is an over-arching set of goals and intentions that can be used when there is no policy/procedure in place, and potentially to guide the content of policies/procedures. It's more of a cultural document than a technical one.

A great example is the "User Password Guideline" document. The policies and procedures for how to handle passwords at the system level are set independently and may have technical controls in place. But the organisation wants to encourage good use of passwords by the users. So, even though the system password Policy states that passwords should be no shorter than 8 characters (or whatever) the Guideline for users is about encouraging them to use very long passwords. It's not something you can force to happen, but there's a guideline in place to handle the risks of poorly formed passwords when the policies, procedures, and technical controls might not be able to address that risk on their own.

In some of my organisations, I combined the Password Guidance and the Password Policy into a single document. One part to explain the whys and the organisation's expectations about how passwords are handled, and then all the technical bits after. If users follow the Guidance, they will be fine. If they need to get fancy with the requirements, then those details are available, too.