CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [155]
The next sections discuss the policies, standards, and guidelines you need to establish in order for your security efforts to be successful.
Implementing Policies
Policies provide the people in an organization with guidance about their expected behavior. Well-written policies are clear and concise, and they outline consequences when they aren’t followed. A good policy contains several key areas besides the policy:
Scope statement A good policy has a scope statement that outlines what the policy intends to accomplish and what documents, laws, and practices the policy addresses. The scope statement provides background to help readers understand what the policy is about and how it applies to them.
The scope statement is always brief—usually not more than a single sentence in length.
Policy overview statement Policy overview statements provide the goal of the policy, why it’s important, and how to comply with it. Ideally, a single paragraph is all you need to provide readers with a sense of the policy.
Policy statements Once the policy’s readers understand its importance, they should be informed of what the policy is. Policy statements should be as clear and unambiguous as possible. The policy may be presented in paragraph form, as bulleted lists, or as checklists.
The presentation will depend on the policy’s target audience as well as its nature. If the policy is intended to help people determine how to lock up the building at the end of the business day, it might be helpful to provide a specific checklist of the steps that should be taken.
Accountability statement The policy should address who is responsible for ensuring that it is enforced. This statement provides additional information to the reader about who to contact if a problem is discovered. It should also indicate the consequences of not complying with the policy.
The accountability statement should be written in words the reader will understand. If the accountability statement is to be read by the users, then it must be written in such a way as to leave no room for misinterpretation.
Exception statement Sometimes, even the best policy doesn’t foresee every eventuality. The exception statement provides specific guidance about the procedure or process that must be followed in order to deviate from the policy. This may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact.
The policy development process is sometimes time consuming. The advantage of this process, though, is that the decisions can be made in advance and can be sent to all involved parties so the policy doesn’t have to be restated over and over again. In fact, formally developing policies saves time and provides structure: Instead of using valuable time trying to figure out what to do, employees will know what to do.
Incorporating Standards
A standard deals with specific issues or aspects of the business. Standards are derived from policies. A standard should provide enough detail that an audit can be performed to determine if the standard is being met. Standards, like policies, have certain structural aspects in common.
The following five points are the key aspects of standards documents:
Scope and purpose The standards document should explain or describe the intention. If a standard is developed for a technical implementation, the scope might include software, updates, add-ins, and any other relevant information that helps the implementer carry out the task.
Roles and responsibilities This section of the standards document outlines who is responsible for implementing, monitoring, and maintaining the standard. In a system configuration, this section would outline what