Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

Adherence to documented policies, standards, procedures, and guidelines is important to achieve compliance and a secure environment. That goal is just as important in the System/Application Domain. Although most of the other domains in the IT infrastructure are similar to domains in other organizations, the components in the System/Application Domain tend to be very specific to each organization. The applications any organization runs define the services that organization can provide. In some ways, the System/Application Domain defines the organization to the outside world.

Because the components in this domain are so specific to the organization, in many cases it is imperative to create specific documents to direct actions that apply to the System/Application Domain. Security policies state high-level goals for security. Standards state specific performance metrics to meet goals. Procedures document the steps to meet stated performance metrics. Guidelines provide general direction for situations that don’t have specific procedures. Develop documents that address each of the three C-I-A data security properties and each compliance requirement. Plan how you’re going to meet compliance requirements before taking action.

After you take the time to create the documents to direct IT activities, you should make every effort to follow the documents. If they have errors or need to be updated, make the necessary changes to keep them as current as possible. Following documented actions will always result in behavior that is more secure and compliant than simply making it up as you go.