difference between security policy and security method?

shivajikobardan

what's the difference? are they same? context is I am studying information system subject.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

JDMurray

A "policy" is a high-level directive that specifies what should be performed, such as "All enterprise passwords shall conform to an industry standard complexity method and be periodically changed."

A security method would describe how to implement that policy, such as "All enterprise-compliant authentication must use the password recommendations specified in NIST SP800-63-3: Digital Identity Guidelines."

shivajikobardan

JDMurray said:

A "policy" is a high-level directive that specifies what should be performed, such as "All enterprise passwords shall conform to an industry standard complexity method and be periodically changed."
A security method would describe how to implement that policy, such as "All enterprise-compliant authentication must use the password recommendations specified in NIST SP800-63-3: Digital Identity Guidelines."

makes sense. thank you.

i didn't find further information in google, what should i search this by?

JDMurray

I would suggest reading through training materials for InfoSec certifications, such as Security+ and CISSP. YouTube is a good and free source of this material.