What are the differences between a policy, a standard, and a practice? where would each be used?

A policy is a plan or course of action intended to influence and determine decisions, actions, and other matters. Policies function like laws within an organization because they dictate acceptable and unacceptable behavior within the context of the organization's culture. A standard has the same requirement for compliance as a policy, but a standard provides more detail for what must be done to comply with policy. The level of acceptance for standards may be informal, as for de facto standards, or formal (as for de jure standards). Practices, procedures, and guidelines effectively explain how to comply with policy.
Policies provide instructions for the proper use of technologies. Three criteria for shaping sound policies are to ensure they:
• Never conflict with law.
• Stand up in court, if challenged.
• Are properly administered through dissemination and documented acceptance.
For these reasons, it is important for policy to be adequately detailed to ensure proper implementation. Policy that is not well defined can cause significant liability if the company must defend its policy in a court of law. Unless a particular use is clearly prohibited, the organization cannot penalize an employee for misuse.
Policy has the ultimate responsibility for managing technology. System administrators and users are responsible for enforcing policy.
Based on NIST Special Publication 800-14, there are three types of information security policies. First are general or security program policies (SPPs), which are usually drafted by the chief information officer of the organization. SPPs are used to directly support the mission, vision, and direction of the organization and set the strategic direction, scope, and tone for its security efforts. Second are issue-specific security policies (ISSPs), which formally instruct employees how to properly use the organization's technologies, including the Internet, e-mail, and photocopy equipment. The ISSP requires frequent updates and must contain a statement for the organization's position on a specific issue. Third are system-specific security policies (SysSPs). They are not formal documents, but are usually codified as standards and procedures used when configuring or maintaining systems. The SysSPs fall into two groups: access control lists and configuration rules.
When office equipment is for personal use, an ISSP is needed to guide use of the Web, e-mail, and office equipment.

Policy - Written instructions that describe proper behavior.
Standard - Detailed statement of what must be done to comply with policy.
Practice - Examples of actions that would comply with policy.
The 3 types of Sec. Policy are:
Enterprise Information Sec. Policy (EISP)
Issue Specific Sec. Policy (ISSP)
System Specific Sec. Policy (SysSP)

A hot site is a fully configured computer facility with all services, communications links, and physical plant operations, including heating and air conditioning. Hot sites duplicate computing resources, peripherals, phone systems, applications, and workstations. A hot site is the pinnacle of contingency planning; it is a duplicate facility that needs only the latest data backups and personnel to become a fully operational twin of the original. A hot site can be operational in a matter of minutes, and in some cases it may be built to perform a fail-over seamlessly by picking up the processing load from a failing site. The hot site is therefore the most expensive alternative available.
A warm site provides many of the same services and options as a hot site. However, it typically does not include the actual applications the company needs, or the applications may not yet be installed and configured. A warm site frequently includes computing equipment and peripherals with servers, but not client workstations. A warm site has many of the advantages of a hot site, but at a lower cost. The downside is that a warm site requires hours, if not days, to become fully functional.
A cold site provides only rudimentary services and facilities. No computer hardware or peripherals are provided. All communications services must be installed after the site is occupied. Basically, a cold site is an empty room with heating, air conditioning, and electricity. Everything else is an option. Although the obvious disadvantages may preclude its selection, a cold site is better than nothing. The main advantage of cold sites over hot and warm sites is the cost.
A time-share is a hot, warm, or cold site that is leased in conjunction with a business partner or sister organization. The time-share allows the organization to maintain a disaster recovery and business continuity option at a reduced overall cost. The time-share has the same advantages as the type of site selected (hot, warm, or cold). The primary disadvantage is the possibility that more than one organization involved in the time-share may need the facility simultaneously. Other disadvantages include the need to stock the facility with equipment and data from all organizations involved, the negotiations for arranging the time-share, and additional agreements if one or more parties decide to cancel the agreement or sublease its options.
A service bureau is an agency that provides a service for a fee. In the case of disaster recovery and continuity planning, the service is the agreement to provide physical facilities during and after a disaster. These types of agencies also frequently provide off-site data storage for a fee. Contracts can be carefully created with service bureaus to specify exactly what the organization needs without having to reserve dedicated facilities. A service agreement usually guarantees space when needed, even if the service bureau has to acquire additional space in the event of a widespread disaster.
A mutual agreement is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster. It stipulates that each organization is obligated to provide necessary facilities, resources, and services until the receiving organization can recover from the disaster. The problem with this approach is that many organizations balk at the idea of having to fund duplicate services and resources for other parties, even in the short term. Still, mutual agreements between divisions of the same parent company, between subordinate and superior organizations, or between business partners can be a cost-effective solution.

Risk management is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in those systems.
Assets are defined in this context as information and the systems that use, store, and transmit information. To protect assets, you must understand what they are, how they add value to the organization, and the vulnerabilities to which they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because you have a control in place to protect an asset does not necessarily mean it is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective.

Stateful inspection firewalls, also called stateful firewalls, keep track of each network connection between internal and external systems using a state table. A state table tracks the state and context of each packet in the conversation by recording which station sent what packet and when. Like first-generation firewalls, stateful inspection firewalls perform packet filtering, but they take it a step further. Whereas simple packet-filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can block incoming packets that are not responses to internal requests. If the stateful firewall receives an incoming packet that it cannot match in its state table, it defaults to its ACL to determine whether to allow the packet to pass. The primary disadvantage of this type of firewall is the additional processing required to manage and verify packets against the state table, which can leave the system vulnerable to a DoS or DDoS attack.
State information is preserved using a state table that looks similar to a firewall rule set, but it has additional information. The state table contains the familiar columns for source IP, source port, destination IP, and destination port, but it adds information for the protocol used (UDP or TCP), total time in seconds, and time remaining in seconds.

What type of policy would be needed to guide use of the Web e mail?

What is an EISP and what purpose does it serve?

What is contingency planning how is contingency planning different from routine management planning?

Where can a security administrator find information on established security frameworks?