Policies, Standards, and Guidelines

Refer to Stanford University's security and privacy policies, standards, and guidelines outlined below to better understand requirements for and relevance to your role at Stanford.

Policies

Learn more about policies »

Standards

Minimum Security Standards
Minimum Privacy Standards
Password Standards
Third Party Requirements
Risk Classifications
Risk Classifications: Approved Services
Regulatory: CA 1798.82 | CCPA | CMIA | FERPA | GDPR | HIPAA | PCI

Learn more about standards »

Guidelines

Learn more about guidelines »

Definitions at-a-glance

What are the key differences between policies, standards, and guidelines?

Understanding the role each plays is essential for ensuring clarity, consistency, and accountability across Stanford. These elements work together to shape how work is performed and decisions are made.

In the context of data protection, these components form a structured framework that helps minimize risk, support regulatory compliance, and promote a strong security culture.

Element	Description	Mandatory	Purpose
Policy	High-level statements of intent	Yes	Sets organizational direction
Standard	Specific, measurable rules for consistency	Yes	Provides uniform benchmarks
Guideline	Recommended practices	No	Offers flexibility and best practices

Policy

Definition
A policy is a high-level statement that outlines an organization’s overall intent, direction, and guiding principles on a specific topic.

Purpose
It sets the foundation for what is required or expected in a given area. Policies establish broad mandates or rules to ensure alignment with legal, regulatory, or business objectives.

Characteristics

Generally mandatory
Approved by senior leadership
Often enforceable across the entire organization

Example
"All employees must protect the confidentiality of customer data in accordance with regulatory requirements."

Standards

Definition
Standards are specific, measurable rules that ensure consistency and compliance with policies.

Purpose
They provide technical or operational criteria needed to support the policy’s implementation, making sure practices are uniform across departments or systems.

Characteristics

Typically mandatory
Precise, detailing requirements that all employees or systems must adhere to
Often specify metrics or benchmarks

Example
"Passwords must be a minimum of 12 characters and include a combination of uppercase, lowercase, numeric, and special characters."

Guidelines

Definition
Guidelines are recommended practices that provide advice on how to meet policy and standard requirements. Unlike policies, standards, and procedures, guidelines are typically not mandatory.

Purpose
They offer flexibility and allow employees to make decisions based on their judgment, while still aligning with organizational goals.

Characteristics

Advisory rather than enforceable
Offer best practices or suggestions to improve efficiency or effectiveness

Example
"It is recommended to use a unique password for each application and avoid reusing passwords from personal accounts."