Information Security Policy Document Definitions

University-wide IT policies, standards, guidelines, and procedures are defined as follows:

Policy: An overall general statement of principle that provides scope and direction that is technology agnostic. IT policies may be initiated by the IT executive leadership, the University Security Officers’ Working Group, IT Purdue Systems Security and Policy, or other interested stakeholders when a need for a policy is identified.

Standard: Refers to mandatory activities, actions, rules, or regulations and are usually technology agnostic. A “baseline” defines the minimum standard that must be met. Standards are created by cross-organizational working groups consisting of subject matter experts.

Guidelines: Recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines are not necessarily technology agnostic. Guidelines are created by cross-organizational working groups consisting of subject matter experts.

Procedures: Detailed step-by-step tasks that should be performed to achieve a certain goal and are often dependent on the technology being implemented. Procedures are considered to be the lowest level in the policy hierarchy tree. Procedures are often created by local or departmental groups and are shared when needed.