If a security control is the cornerstone of everything that an IT security person does, well, then that kind of begs the question, Where do they come from? I mean, the standard type of organization is going to have 10s of thousands, hundreds of thousands zillions of different security controls. And if I as an IT security person, I'm going to apply and manage and adjust these things. Well, I have to start with something. And we do that. And we do that through a process known as governance.
Now, governance is nothing more than the set of overarching rules that define how an organization and it's personnel conduct themselves. That sounds easy enough. But governance is a big topic and covers a whole lot more than IP security. So what we're going to be talking about, is it security governance, and those are the set of overarching rules that define how an organization and its personnel conduct their IT security. So to do this, we have to get some type of sources and there's a lot of sources is out there. And we take these sources and we start to build up our set of rules.
So let's take a look at the different types of sources that we use. The first source for security governance are laws and regulations. There are lots of laws and regulations out there that affect our IT security. A great example would be here in the United States, HIPAA, which is used by healthcare professionals and how they take care of personal data. Second, are standards now in standards, we can really break this into two different types first, what we call government standards. So here in the US, it's going to be the National Institute of Standards.
In Europe, it might be ISO, but these are organizations that provide specific standards on how to do it security. Secondly, though, our industry standards, and probably the one best example of that is PCI DSS. Anybody who works with a credit card on the internet in any way, shape or form deals with PCI DSS standards. Third, our best practices, best practices are just how different people tell you the best way to do their stuff. And the most famous of these are the Microsoft best practices that define 10s of thousands of ways to properly do a Microsoft network. Fourth, and probably the most fun one is called common sense and experience.
Common sense that experience are really, really important. And really, what it boils down to is thinking, what's worked in the past, what have I understood to be the best way to do something? And what just sounds right. Once we take a look at all of these sources for governance, our next job is to create two very different types of documents. First are what we call policies. A policy is a document a document that you can hold in your hand that defines how we're going to be doing something.
So a good example would be an acceptable use policy that says to the woman Employees what they can and can't do on the organization's equipment. Now, policies have some certain effects. First of all, they're going to be very broad in nature, they're not going to have a lot of definition to them, we will always use strong passwords. Secondly, they can be used as directives. A policy is always going to say we will do this, this will take place, so they're very directive in nature. Third, they are often used to define roles and responsibilities.
So there's usually some organizations policy that says, We will always have a chief information security officer, and there will be three security analysts under that position, that type of stuff. So policies are important. And in a typical organization, you can see a lot of these in fact, a bet a nickel, if you've ever went got a job with somebody, you probably had to sign a few of these. You often see security policies in place with new hires. Now, the second type of document is what I call an organizational standard or organizational standards are much more detailed than a policy, it's going to define the level of performance for a policy. So if we have a password policy that says on paper, that we will use strong passwords, a organizational standard for passwords is going to say things like, it must be 12 characters alphanumeric, and it has to be changed every three months, something like that.
So there's a big difference between the two. In fact, even though there is a big difference, what you'll see a lot of times is that for some organizations, they'll go ahead and incorporate the standards into policies. Now, I know that almost seems different from the definition I gave you, but it does happen. And so you'll see in a lot of organizations, they don't really have organizational standards, per se. They just have policies that are a bit more detailed than what you would normally expect. Okay, so, we've taken all this stuff, we put it together, we pick from all of our sources, developed X number of policies.
And potentially X number of organizational standards. Now, the interesting thing is, is well, where do the security controls come from? And the answer is, they're really in the policies and standards. It's hard to find an organization that lists every one of its security controls in a big Excel spreadsheet. Okay, well, there are pleased to see that, but we'll talk about that later. What you usually see is that the security controls are actually defined within the policies and standards that say, you know, this is how we do this security control that security control.
So there's not usually a big list of security controls that you can look at as a separate item, sometimes, alright, but we now do have detailed policies and organizational standards that tell us what we need to do, but it doesn't tell us how to do it. And that's where procedures come into play. A procedure is like the name implies a step by step process of how you do something, how to go into Windows Server and set up passwords. complexity as a security policy, whatever it might be. So procedures define how we actually do it in a step by step manner. Okay, how's that for a little introduction to governance, let's take a minute right now.
And let's just kind of take a picture of all these guys together. So here is my graphic of governance. So first of all, we're going to start with sources. So things like laws and regulations, best practices, common sense, all these types of things. So we're going to put these guys at the top here, okay, so an IT professional looks at all these sources or knows about all these sources, and then begins to build policies and standards. From these policies and standards.
What we are in essence creating is a big pile of security controls, which are not listed separately either within the policies and standards, but they are there. Once we have all of this together, we then end with procedures that tell us how to actually make each one of these happen. That, my friends is what governance is all about, if you really think about it, governance, in its most core function is to actually make the right set of security controls for your organization. And this is the process we use to get those security controls up and running. Now, I want you to remember that graphic because you're going to see it again in later episodes. As we talk about a few other things.
I'm going to keep it a mystery for a moment. So that's the basics of governments. However, I get to add one more thing. guidelines. There is one more part of guidelines that helps us develop our big pile of security controls. A guideline, unlike anything else we've ever talked about is considered something optional.
It's an idea. Well, you know, usually we run a cable like this, where it doesn't have to be clearly defined, but it gives us an idea of how we tend to do things. The important thing to remember is that everything else is required and guidelines are optional.