CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [156]
Reference documents This section of the standards document explains how the standard relates to the organization’s different policies, thereby connecting the standard to the underlying policies that have been put in place. In the event of confusion or uncertainty, it also allows people to go back to the source and figure out what the standard means. You’ll encounter many situations throughout your career where you’re given a standard that doesn’t make sense. Frequently, by referring back to the policies, you can figure out why the standard was written the way it was. Doing so may help you carry out the standard or inform the people responsible for the standard of a change or problem.
Performance criteria This part of the standards document outlines what or how to accomplish the task. It should include relevant baseline and technology standards. Baselines provide a minimum or starting point for the standard. Technology standards provide information about the platforms and technologies. Baseline standards spell out high-level requirements for the standard or technology.
An important aspect of performance criteria is benchmarking. You need to define what will be measured and the metrics that will be used to do so.
If you’re responsible for installing a server in a remote location, the standards spell out what type of computer will be used, what operating system will be installed, and any other relevant specifications.
Maintenance and administrative requirements These standards outline what is required to manage and administer the systems or networks. In the case of a physical security requirement, the frequency with which locks or combinations are changed would be addressed.
As you can see, the standards documents provide a mechanism for both new and existing standards to be evaluated for compliance. The process of evaluation is called an audit. Increasingly, organizations are being required to conduct regular audits of their standards and policies.
Following Guidelines
Guidelines are slightly different from either policies or standards. Guidelines help an organization implement or maintain standards by providing information on how to accomplish the policies and maintain the standards.
Guidelines can be less formal than policies or standards because their nature is to help users comply with policies and standards. An example might be an explanation of how to install a service pack and what steps should be taken before doing so.
Guidelines aren’t hard-and-fast rules. They may, however, provide a step-by-step process to accomplish a task. Guidelines, like standards and policies, should contain background information to help a user perform the task.
The following four items are the minimum contents of a good guidelines document:
Scope and purpose The scope and purpose provide an overview and statement of the guideline’s intent.
Roles and responsibilities This section of the guidelines identifies which individuals or departments are responsible for accomplishing specific tasks. This may include implementation, support, and administration of a system or service. In a large organization, it’s likely that the individuals involved in the process will have different levels of training and expertise. From a security perspective, it could be disastrous if an unqualified technician installed a system without guidelines.
Guideline statements These statements provide the step-by-step instructions on how to accomplish a specific task in a specific manner. Again, these are guidelines—they may not be hard-and-fast rules.
Operational considerations A guideline’s operational considerations specify and identify what duties are required and at what intervals. This list might include daily, weekly, and monthly tasks. Guidelines for systems backup might provide specific