Procedures are formal documents that provide detailed, step-by-step instructions on how to perform a specific task or process. They are designed to ensure that actions are carried out consistently and correctly, in alignment with established policies and standards. For example, a procedure would outline the exact sequence of actions a system administrator must take to create a new user account, ensuring compliance with the organization's access control policy.

A. Policies are high-level documents that state management's intent and objectives; they define what is required, not the specific steps on how to do it.

B. Regulations are mandatory rules or laws imposed by an external governing body, which an organization must follow, but they are not internal step-by-step guides.

C. Standards establish mandatory, specific requirements for technologies, configurations, or methods to ensure consistency, but they are not detailed procedural instructions.

1. National Institute of Standards and Technology (NIST). (2017). An Introduction to Information Security (NIST Special Publication 800-12 Rev. 1). U.S. Department of Commerce. In Section 2.3.1

"Policy

Standards

and Practices

" it states

"Procedures are detailed

step-by-step instructions that are created to ensure that personnel can perform a given action." (p. 10).

2. National Institute of Standards and Technology (NIST). (n.d.). Glossary. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary. The glossary defines a procedure as: "A set of steps that can be followed to accomplish a task."

3. University of California

Berkeley. (n.d.). Information Security Policy Program. Information Security Office. The document outlines the policy framework

defining Procedures as: "Step-by-step instructions to assist staff in implementing the various policies

standards

and guidelines."