Information security team reviewing governance pyramid

“Everyone hears only what he understands.”
— Johann Wolfgang von Goethe

Thus far we have discussed Policy, Standards, and Process. These are administrative tools for the governance of information security, but now we look beyond governance to application.

The overall picture of governance can be viewed as a pyramid. Policy is at its base. Policy is the enabler that the business sets in place. Standards dictate how the policy is interpreted into uniform products and methods. Processes define the “How” in a consistent manner. On the practical side, we now come to Procedures, Guidelines, and Patterns.

Graphic showing the four key tiers of the governance pyramic


While processes define an overall flow of how security policies and standards should be implemented, procedures define – in a step-by-step manner – what actions to take. Procedures are operational how-to documents that ensure that configurations are correct, settings are properly defined, and that as much of the processes defined are operational. Procedures can include runbooks, configuration management, disaster recovery and business continuity plans, and methods of vulnerability prevention. Procedure is where the “rubber hits the road.”

Procedures are, by far, the most substantial documentation. A single process may yield hundreds of procedures, all of which can be traced back to a single policy. This provides consistency in operation, the ability to quickly adapt in a changing security environment, and end-to-end auditability that can satisfy both internal and external auditors.


In what seems to be a world of absolutes, there are a lot of things that are just a good idea. For this, we have Guidelines. Guidelines provide user-level guidance on security issues. They can cover subjects like clean desks, complex password selection (beyond the minimum requirements), and things that you can do to secure your home computer use. Guidelines can be important.  A user who is disciplined about their home security is more likely to bring those practices into the office, and vice-versa.

Guidelines also provide a convenient way to communicate best practices to less technical users.  They do not need to be as formal as much of the other governance documentation, and they are more accessible. Where a procedure is a “Must”, a guideline is a “Should”.


Patterns, based in policy, span all of the other levels of the governance structure. Patterns are documented sets of Standards, Processes, Procedures, and Guidelines that can be easily moved between projects and solutions. Once a pattern is established, it simplifies support, gains recognition by users, and enables change in the security infrastructure with minimal pain to the programmers and users.

An example of a pattern, based in the Document Classification Policy, is the set of:

  • The document labeling standard
    • The physical document classification process
      • The document marking procedure
      • The document covering procedure
        • The clean desk guideline
    • The electronic document classification process

Following the pattern allows you to construct the whole series for electronic documents. This saves work and review.  Because it is done the same way in all occurrences, when a new control is put into place for a physical control, it prompts the equivalent control to be adopted in the electronic pattern.

Wrapping Up

There are three things to remember when establishing or re-imagining a security governance structure:

  1. Compliance is easier if the structure is well organized,
  2. Being consistent produces an environment that is both supportable and understandable by non-technical clients,
  3. Any step within the structure should always be traceable back to policy and a business need.

By following the basic steps of simplicity and traceability, any organization can have a workable and auditable information security governance structure.

This is part 3 of a 3-part series.

1. The Secrets Behind Information Security Organization
2. What is SAAP? It is Security as a Process
3. Three Elements that Complete the Governance Pyramid

Photo of Garnet River Information and Cybersecurity practice lead Michael D Weisberg

Michael D. Weisberg, CISSP, CSM, is Vice President of Information Security and Assurance Services at Garnet River LLC and the Director of Cyber Security Programs at the School of Professional and Continuing Education at the Sage Colleges in Albany, NY. As an information security leader and subject matter expert, Michael has been a contract CISO for several organizations.

Subscribe to The River's Bend

The River's Bend is our monthly newsletter, featuring insights into what you should be looking for in business and technology before it can be you can prepare, act, and ultimately navigate a path forward.