Standards, guidelines, procedures, and baselines are the means whereby engineers, programmers, managers, and users adhere to security policy. The relationships between these areas of compliance activity are depicted in Figure1.
Policies provide general statements of security goals and objectives approved by management. From those policies, technical and administrative teams define standards and guidelines to support the policies. Standards specify mandatory or prohibited hardware and software configurations, and compulsory processes for implementation, operation, and use of all or specific information systems. The scope of a standard typically depends on whether it's supporting a program policy or a system/issue specific
policy.
Too many standards can place onerous restrictions on operational managers and staff. On the other hand, there must be consistency in the application of security policies. This is where guidelines add value. Guidelines provide recommended actions, hardware and software configurations, and processes in line with governing policies. Although managers must consider guidelines in day to day activities, they have some latitude in deciding how to implement them. The principle of implementing security that is reasonable and appropriate is a good approach to enforcing guidelines. View each operation within your organization as a unique opportunity to interpret guidelines in a way that protects your information assets while maintaining operational efficiency.
Once your standards and guidelines are defined, procedures should be developed to implement them. Procedures are detailed, step by step approaches to performing a task. Examples include:
- Building a file and print server
- Building a local area network
- Deploying email capability to a user workstation
- Configuring a smart phone
- Processing accounts payable
Well defined, documented, and operationally integrated procedures ensure consistency in policy compliance.
Finally, baselines are the minimum level of security allowable in the configuration of hardware and software. For example, when building a server, the baseline configuration must be applied to provide the level of security absolutely required by policy, standards, etc. Additional security may be added, as long as it doesn't reduce the level of protection below that provided by the baseline configuration.
See other articles in the Security Basics series...