Building a Strong Foundation for Security and Compliance

What Are Policies?

Policies are a set of guidelines, rules, or principles that an organization or institution uses to achieve its goals. They outline expectations, provide a framework for decision-making, and promote consistency and compliance.

IT policies may address areas such as acceptable use, access management, AI, asset management, change management, cybersecurity, data management, disaster recovery, incident response, record retention and disposal, risk management, among others.

Policies can help logically communicate to the team an organization’s values, culture,
and philosophy with regard to technology strategy and use.

What Are Plans?

Plans are a set of procedures that detail the step-by-step execution of policy directives. For instance, while an incident response policy outlines the high-level strategy for addressing a data security incident, and incident response plan provides the response team with detailed instructions on how to respond to the incident. Plans offer comprehensive, A-to-Z guidance on the actions to take in particular situations.

Where a policy would tell a Cardinal that a nest is needed, the procedures would be the instructions on where to get the materials and how to build the next.