6.3. Developing Policies, Standards, and Guidelines

The process of implementing and maintaining a secure network must first be addressed from a policies, standards, and guidelines perspective. This sets the tone, provides authority, and gives your efforts the teeth they need to be effective. Policies and guidelines set a standard of expectation in an organization. The process of developing these policies will help everyone in an organization become involved and invested in making security efforts successful. You can think of policies as providing the big picture on issues. Standards tell people what is expected, and guidelines provide specific advice on how to accomplish a given task or activity.

The next sections discuss the policies, standards, and guidelines you need to establish in order for your security efforts to be successful.

6.3.1. Implementing Policies

Policies provide the people in an organization with guidance about their expected behavior. Well-written policies are clear and concise, and they outline consequences when they aren't followed. A good policy contains several key areas besides the policy:

Scope statement

A good policy has a scope statement that outlines what the policy intends to accomplish and what documents, laws, and practices the policy addresses. The scope statement provides background to help readers understand what the policy is about and how it applies to them.

Policy overview statement

Policy overview statements provide the goal of the policy, why it's important, and how to comply with it. Ideally, a single paragraph is all you need to provide readers with a sense of the policy.

Policy statements

Once the policy's readers understand its importance, they should be informed of what the policy is. Policy statements should be as clear and unambiguous as possible. The policy may be presented in paragraph form, as bulleted lists, or as checklists.

The presentation will depend on the policy's target audience as well as its nature. If the policy is intended to help people determine how to lock up the building at the end of the business day, it might be helpful to provide a specific checklist of the steps that should be taken.

Accountability statement

The policy should address who is responsible for ensuring that it is enforced. This statement provides additional information to the reader about who to contact if a problem is discovered. It should also indicate the consequences of not complying with the policy.

Exception statement

Sometimes, even the best policy doesn't foresee every eventuality. The exception statement provides specific guidance about the procedure or process that must be followed in order to deviate from the policy. This may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact.

The policy development process is sometimes time consuming. The advantage of this process, though, is that the decisions can be made in advance and can be sent to all involved parties so the policy doesn't have to be restated over and over again. In fact, formally developing policies saves time and provides structure: Instead of using valuable time trying to figure out what to do, employees will know what to do.

6.3.2. Incorporating Standards

A standard deals with specific issues or aspects of the business. Standards are derived from policies. A standard should provide enough detail that an audit can be performed to determine if the standard is being met. Standards, like policies, have certain structural aspects in common.

The following five points are the key aspects of standards documents:

Scope and purpose

The standards document should explain or describe the intention. If a standard is developed for a technical implementation, the scope might include software, updates, add-ins, and any other relevant information that helps the implementer carry out the task.

Roles and responsibilities

This section of the standards document outlines who is responsible for implementing, monitoring, and maintaining the standard. In a system configuration, this section would outline what the customer is supposed to accomplish and what the installer is supposed to accomplish. This doesn't mean that one or the other can't exceed those roles; it means that in the event of confusion, it's clear who is responsible for accomplishing which tasks.

Reference documents

This section of the standards document explains how the standard relates to the organization's different policies, thereby connecting the standard to the underlying policies that have been put in place. In the event of confusion or uncertainty, it also allows people to go back to the source and figure out what the standard means. You'll encounter many situations throughout your career where you're given a standard that doesn't make sense. Frequently, by referring back to the policies, you can figure out why the standard was written the way it was. Doing so may help you carry out the standard or inform the people responsible for the standard of a change or problem.

Performance criteria

This part of the standards document outlines what or how to accomplish the task. It should include relevant baseline and technology standards. Baselines provide a minimum or starting point for the standard. Technology standards provide information about the platforms and technologies. Baseline standards spell out high-level requirements for the standard or technology.

An important aspect of performance criteria is benchmarking. You need to define what will be measured and the metrics that will be used to do so.

If you're responsible for installing a server in a remote location, the standards spell out what type of computer will be used, what operating system will be installed, and any other relevant specifications.

Maintenance and administrative requirements

These standards outline what is required to manage and administer the systems or networks. In the case of a physical security requirement, the frequency with which locks or combinations are changed would be addressed.

As you can see, the standards documents provide a mechanism for both new and existing standards to be evaluated for compliance. The process of evaluation is called an audit. Increasingly, organizations are being required to conduct regular audits of their standards and policies.

6.3.3. Following Guidelines

Guidelines are slightly different from either policies or standards. Guidelines help an organization implement or maintain standards by providing information on how to accomplish the policies and maintain the standards.

Guidelines can be less formal than policies or standards because their nature is to help users comply with policies and standards. An example might be an explanation of how to install a service pack and what steps should be taken before doing so.

Guidelines aren't hard-and-fast rules. They may, however, provide a step-by-step process to accomplish a task. Guidelines, like standards and policies, should contain background information to help a user perform the task.

The following four items are the minimum contents of a good guidelines document:

Scope and purpose

The scope and purpose provide an overview and statement of the guideline's intent.

Roles and responsibilities

This section of the guidelines identifies which individuals or departments are responsible for accomplishing specific tasks. This may include implementation, support, and administration of a system or service. In a large organization, it's likely that the individuals involved in the process will have different levels of training and expertise. From a security perspective, it could be disastrous if an unqualified technician installed a system without guidelines.

Guideline statements

These statements provide the step-by-step instructions on how to accomplish a specific task in a specific manner. Again, these are guidelines—they may not be hard-and-fast rules.

Operational considerations

A guideline's operational considerations specify and identify what duties are required and at what intervals. This list might include daily, weekly, and monthly tasks. Guidelines for systems backup might provide specific guidance as to what files and directories must be backed up and how frequently.

Guidelines help an organization in several different ways. First, if a process or set of steps isn't performed routinely, experienced support and security staff will forget how to do them; guidelines will help refresh their memory. Second, when you're trying to train someone to do something new, written guidelines can improve the new person's learning curve. Third, when a crisis or high-stress situation occurs, guidelines can keep you from coming unglued.