Standards, Procedures, Guidelines, and Baselines

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now, after we talk about policies,
00:00
because we said policies are going to be broad.
00:00
Not a lot of details,
00:00
not a lot of references to
00:00
individual roles or any type of technology or steps,
00:00
we know that we need to fill in
00:00
>> the voids that's left by
00:00
>> policies and the way we do that is with our standards,
00:00
procedures, guidelines, and baselines.
00:00
These are much more likely to change than our policies.
00:00
Now as I mentioned in the last section, our standards,
00:00
these are going to fill in the details,
00:00
the policy, they are mandatory.
00:00
Whereas I say we're
00:00
going to backup it on a regular basis,
00:00
that might be part of my policy.
00:00
My standard is going to say that we're going to
00:00
backup with on a nightly basis
00:00
and we might specifically say we're going to backup
00:00
using McAfee's backup tool or whatever that might be,
00:00
but ultimately, this fills
00:00
in the detail of policy and just like policy,
00:00
standards are mandatory as well.
00:00
Now the procedures are step-by-step instructions,
00:00
so we're going to perform backups on
00:00
a nightly basis on Sunday night,
00:00
maybe we'll do a full backup on
00:00
the remainder of the days of the week.
00:00
We will provide incremental backups,
00:00
we will test the backups for
00:00
completeness once a week or whatever,
00:00
these step by step by step,
00:00
how we're going to do it, our procedures.
00:00
Now, procedures and standards are mandatory,
00:00
our guidelines are optional.
00:00
These are those things we should do instead of shall do.
00:00
In order to maintain security awareness,
00:00
it's recommended that employees
00:00
attend training classes whenever possible.
00:00
That's a guideline and words like it is
00:00
suggested or it's recommended or whenever possible,
00:00
that's going to help you clue in that it's a guideline,
00:00
this is the only one of those that's not mandatory.
00:00
We have our policies,
00:00
standards that are mandatory or guidelines are not.
00:00
Then the last element here that
00:00
I'll mention are baselines.
00:00
Now, a baseline can be used a couple of
00:00
different ways in the realm of security,
00:00
but here we're going to talk about a baseline as being
00:00
a minimum acceptable security configuration.
00:00
In a particular environment,
00:00
what is the lowest degree of security?
00:00
That's acceptable.
00:00
For instance, I might build
00:00
a baseline image for a system and
00:00
that baseline image might have
00:00
the operating system patched through the latest version,
00:00
security configurations, applications installed,
00:00
unnecessary services removed,
00:00
that's the baseline,
00:00
that's the de facto standard image and we push that out,
00:00
maybe to all our clients' systems.
00:00
Remember, any changes to
00:00
that baseline image is going to require
00:00
that we go through our change management policy.
00:00
Baselines are also mandatory and we're likely to have
00:00
baseline configurations for each of
00:00
the major roles for the systems in our environment.
00:00
I may have a baseline for my Windows domain controllers
00:00
and a different baseline for
00:00
my Apache web servers or whatever that's going to be,
00:00
but that's the baseline
00:00
is going to mandate the security requirements.
00:00
You might see the baseline reference in things like,
00:00
what would you need to do to make
00:00
a change to a baseline setting?
00:00
Again, that would be following
00:00
security policy by utilizing
00:00
the change management strategy.
00:00
Now, this is a good graphic,
00:00
I think because it helps put it all together.
00:00
Up at the top, these are elements of strategic focus,
00:00
these are the elements that
00:00
senior leadership is directly involved in.
00:00
Senior leadership, our governing entities,
00:00
they're the ones who have to figure out what
00:00
drivers apply to us as an organization.
00:00
Usually that revolves around
00:00
satisfying stakeholder needs,
00:00
whether our main focus is profit
00:00
or we may be trying to improve customer reputation,
00:00
whatever business objective really,
00:00
that's going to be the driver.
00:00
Then we have principles, again, fraud,
00:00
you could tie this into strategy about what we
00:00
want to accomplish long term and then our policies again,
00:00
usually senior management doesn't
00:00
necessarily write the policies,
00:00
but they have sun-offs.
00:00
The policies are indicated to be
00:00
>> from senior leadership.
00:00
>> Now, as we get down to the bottom of the pyramid,
00:00
we see the more tactical and even operational elements
00:00
like standards and then guidelines,
00:00
procedures, and baselines.
00:00
The idea is senior leadership
00:00
that gives a policy that we're going to
00:00
protect customer information by
00:00
protecting privacy and having
00:00
strong access control in all these things.
00:00
Senior management's not always going to
00:00
know the technical aspects,
00:00
so that comes down to our operations team and
00:00
our more tactical focus
00:00
for our standards and then of course,
00:00
procedures, guidelines and baselines,
00:00
that's more in the realm
00:00
of management than it is governance.
00:00
The idea is the basis for our security program.
00:00
These sets of administrative controls,
00:00
we started out with policy in the previous section,
00:00
but now in this particular recording,
00:00
we covered standards,
00:00
fill in the details,
00:00
procedures, give a step-by-step, guidelines,
00:00
give us best practices,
00:00
and baselines are
00:00
the minimum acceptable security
00:00
configurations for a system.
00:00
Next, we're going to move into
00:00
additional elements of our security program.
Up Next