Policies, Standards, and Guidelines

Previous page
Table of content
Next page

The process of implementing and maintaining a secure network must first be addressed from a policies, standards, and guidelines perspective. This sets the tone, provides authority, and gives your efforts the teeth they need to be effective. Policies and guidelines set a standard of expectation in an organization. The process of developing these policies will help everyone in an organization become involved and invested in making security efforts successful. You can think of policies as providing the big picture on issues. Standards tell people what is expected, and guidelines provide specific advice on how to accomplish a given task or activity.

The next sections discuss the policies, standards, and guidelines that you need to establish for your security efforts to be successful.

Note 

You will not be tested on this material, and I am only providing this as background. Although the material may not be important for test preparation, it is very important in the real world.

Policies

Policies provide guidance about expected behaviors to people in an organization. Well-written policies are clear and concise, and they outline consequences when they are not followed. A good policy contains several key areas besides the policy:

Scope Statement A good policy will have a scoping statement that outlines what the policy intends to accomplish and what documents, laws, and practices the policy addresses. The scoping statement provides some background for the reader to understand what the policy is about and how it applies to them.

Policy Overview Statement Policy overview statements provide the goal of the policy, why it is important, and how to comply with the policy. Ideally, a single paragraph is all you need for this. This provides the readers with a sense of the policy.

Policy Statements Once the policy's readers understand its importance, they should be informed what the policy is. Policy statements should be as clear and unambiguous as possible. The policy may be presented in paragraph form, or as bulleted lists, or checklists.

The presentation will depend on the target audience of the policy as well as the nature of the policy. If the policy is intended to help people determine how to lock up the building at the end of the business day, it may be helpful to provide a specific checklist on what steps should be taken.

Accountability Statement The policy should address who is responsible for ensuring that the policy is enforced. This provides additional information to the reader about who to contact if a problem is discovered. This statement should also include a statement indicating the consequences of not complying with the policy and who is responsible for overseeing the policy.

Exception Statement Sometimes, even the best policy does not foresee every eventuality. This section provides specific guidance about the procedure or process that must be followed in order to deviate from the policy. This may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact.

The policy development process is sometimes time-consuming. The advantage of this process, though, is that these decisions can be made in advance and can be sent to all involved parties. This avoids having to restate the policy over and over again. In fact, formally developing policies saves time and provides structure. Employees, instead of trying to figure out what to do, will know what to do.

Standards

A standard deals with specific issues or aspects of the business. Standards are derived from policies. A standard should provide enough detail so that an audit can be performed to determine if the standard is being met. Standards, like policies, have certain structural aspects in common.

The following five points are the key aspects of standards documents:

Scope and Purpose The standard should explain or describe the intention of the standard. If a standard is developed for a technical implementation, the scope might include software, updates, addins, and any other relevant information that helps the implementer carry out the task.

Role and Responsibilities This section outlines who is responsible for implementing, monitoring, and maintaining the standard. In a systems configuration, this section would outline what the customer is supposed to accomplish and what the installer is supposed to accomplish. This does not mean that one or the other cannot exceed those roles; it means that in the event of confusion, it is clear who is responsible to accomplish which tasks.

Reference Documents This section explains how the standard relates to the different policies in the organization. This connects the standard to the underlying policies that have been put in place. In the event of confusion or uncertainty, it also allows people to go back to the source and figure out what the standard means. You will encounter many situations throughout your career where you are given a standard and it doesn't make sense. Frequently, by referring back to the policies you can figure out why the standard was written the way it was. This may help you carry out the standard or inform the people responsible for the standard of a change or problem.

Performance Criteria This part of the document outlines what or how to accomplish the task. This should include relevant baseline and technology standards. Baselines provide a minimum or starting point of the standard. Technology standards provide information about the platforms and technologies. Baseline standards spell out high-level requirements for the standard or technology.

If you are responsible for installing a server in a remote location, the standards spell out what type of computer will be used, what operating system will be installed, and any other relevant specifications.

Maintenance and Administrative Requirements These standards outline what is required to manage and administer the systems or networks. In the case of a physical security requirement, the frequency of lock changes or combination changes would be addressed.

As you can see, the standards documents provide a mechanism for both new and existing standards to be evaluated for compliance. The process of evaluation is called an audit. Increasingly organizations are being required to conduct regular audits of their standards and policies.

Guidelines

Guidelines are slightly different from either policies or standards. Guidelines help an organization implement or maintain standards. Guidelines help an organization by providing information on how to accomplish the policies and maintain the standards.

Guidelines can be less formal than policies or standards. This is because the nature of these documents is to help comply with policies and standards. An example of this might be an explanation of how to install a service pack and what steps should be taken before doing it.

Guidelines are not hard-and-fast rules. They may, however, provide a step-by-step process to accomplish a task. Guidelines, like standards and policies, should contain background information to help perform the task.

The following four items are the minimum contents of a good guidelines document:

Scope and Purpose The scope and purpose of a guideline provide an overview and statement of intent of the guideline.

Roles and Responsibilities This section identifies which individuals or departments are responsible for accomplishing specific tasks. This may include implementation, support, and administration of a system or service. In a large organization, it is very likely that the individuals involved in the process will have different levels of training and expertise. From a security perspective, it could be disastrous if an unqualified technician installed a system without guidelines.

Guideline Statements These statements provide the step-by-step instructions on how to accomplish a specific task in a specific manner. Again, these are guidelines—they may not be hard-and-fast rules.

Operational Considerations The operational considerations of a guideline specify and identify what duties are required and at what intervals. This might include daily, weekly, and monthly tasks. Guidelines for systems backup might provide specific guidance as to what files and directories must be backed up and how frequently.

Guidelines help in several different ways. First, if a process or set of steps is not performed routinely, experienced support and security staff will forget how to do them. Guidelines will help refresh their memory. Second, when you are trying to train someone to do something new, written guidelines can improve the new person's learning curve. Third, when a crisis or high stress situation occurs, guidelines can keep you from coming unglued.


Previous page
Table of content
Next page
CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167
Authors: Michael A. Pastore
BUY ON AMAZON
WebLogic: The Definitive Guide
A Practitioners Guide to Software Test Design
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
MySQL Cookbook
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy