all right now, the next element of our security program is gonna be a direct result of senior management's influence on the organization. So we're gonna talk about policies, procedure, standards and guidelines, and senior management's gonna have
gonna be responsible through governance and setting the vision.
And then these policies procedure standards and guidelines arm or the systems influence, and advising these policies to carry out the vision or to accomplish the vision.
All right, policy. So policies tend to be broad in nature. You really shouldn't have a ton of policies, and they really shouldn't change very frequently. And that feels very odd for people. But policies are generic, and then ultimately the standards are gonna fill in the details.
So, for instance, my policy might be
we're gonna protect customer information in relation to the current de facto standard.
Well, that's Standard is going to say right now we're using a yes to 56. And in two years we'll be using something different, most likely, but the idea that we're gonna protect ABBA in accordance with the current acceptable standard that really shouldn't change. So that's policy versus standard.
When you look at corporate standards, you get three basic types, your corporate policy, not standard corporate policy eyes gonna be for the organization as a whole. Right? We hear it, kelly dot com and order to provide customer confidence are committed to protecting the privacy of their information
into maintain compliance with all applicable regulations and walls.
Right, That policy is in a change and standards will go in and fill in the details.
All right, then we have systems specific policies.
The policies for domain controllers are gonna be very different than the policies for end user systems or Web servers. So well, at policies governing the protection of our systems and then issue specific policies are going thio are gonna address specific issues
like acceptable use policy, privacy system ownership,
dabba ownership. Those sorts of elements are gonna be in the issue specific policy.
Now, like I said, standards are gonna be there to fill in the gaps. So where's the policy is gonna be very broad. Standards will be specific, and you'll have more standards than you will policies. So a policy might say, based on privilege level,
Um, will you strong authentication to protect access to data?
So whereas a user may simply be required. A user name and a smart card and administrator who's gonna be authorized to much more may have to provide a retina scan a password in a cryptographic key, right? So, depending on access, so the standard would be
four users, Here's what you have to do for power users
for administrators. So three different standards to satisfy policy.
When you're thinking about specifics or details of policy, it's a standard.
All right, now your procedures. Air step by step instructions. Step one. Step two. Step three.
Um, and out of all of these three policies, procedures, standards, procedures, all three of those were mandatory, Right? So policy the details of the policy through the standard steps on how to accomplish that. However, the next one guidelines, these are recommended.
They're not required. So guidelines, arm or best practices, more of those things that are should not shall.
So in order to improve security awareness, we encourage our users to attain the 10 training classes whenever possible. Right? That just screams guidelines we suggest recommend whenever possible.
All right, and then, additionally will also have baselines as well. Now, baselines. That term maybe used a couple of different ways. But for us, a baseline is the minimum acceptable security configuration.
Minimum acceptable security configuration.
Okay, if you remember earlier we said one of the reasons, the main reason we classify information is that will dictate how that information is protected. So when I label that a top secret, there is a set of security requirements that go with top secret data. And that's the baseline.
Now, not all top secret dad is protected the same way.
But all top secret data should have the same baseline security configuration.
All right, So standards policy of policy standards, procedures, guidelines and baselines guidelines out of that list are the only ones that are not mandatory.