The volume of infrastructure policies can be quite large, depending on your organization’s need. For example, the more diverse the technologies deployed, the greater the number of baseline standards required. It is important to define the requirements for standards in a methodical way.

This chapter discusses the requirements based on domains. More than one approach works. Many organizations first select a framework, such as ISO or COBIT. They then develop requirements and standards based on the framework.

Do not reinvent the wheel. There are rare instances where you will need to develop original content to create a new policy. More often, you modify an existing sample obtained from a reliable source. Before you create content for a specific topic, see what others have already done and adapt that work to your specific needs. Some sources for security policies and standards include the following:

• The U.S. government offers hundreds of standards through NIST.
• Private organizations, such as SANS, sell prewritten security policies.
• Professional associations offer security policy examples to their membership. Some associations are the Institute of Internal Auditors (IIA) and the Information Systems and Control Association (ISACA).
• Contact the vendors of your IT products to find out if they offer sample security policies.

Do not impose strict access controls on your policies and standards. Make them freely available to everyone expected to follow them. These documents reinforce security awareness messages.

Keep content cohesive. Although standard boilerplate security policies are easily accessible, they can conflict with one another. The conflicts can be at many levels, from approach to specific requirements. When developing a document, focus only on the subject it covers. Compare the content with related topics. If you need to refer to other topics contained in other documents, do not repeat the content. Simply reference the other related documents in the one you have developed. When it’s finished, look at it as a complete end-to-end story of how to control risks. This end-to-end view allows you to adjust for inconsistencies and close gaps.

Keep content coherent. Maintain the same “voice” throughout a single document. Do not add more information than is necessary to convey the information. Do not stray from the message.

Make your library as searchable as possible. When implementing your policies, make it easy to locate relevant documents by indexing them with keywords and phrases.

Federate ownership to where it best belongs. Over time, you will find that nonsecurity personnel are adept at producing policy documents. This is especially true for creating procedures they use every day. If you work on building alliances with data center operators and administrators, you can often obtain their help in preparing policy documentation.