Standards, Procedures, Guidelines, and Baselines

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, after we talk about policies,
00:00
because we said policies are going to be broad.
00:00
Not a lot of details,
00:00
not a lot of references to
00:00
individual roles or any type of technology or steps.
00:00
We know that we need to fill in
00:00
the void that's left by policies.
00:00
The way we do that is with our standards,
00:00
procedures, guidelines, and baselines.
00:00
These are much more likely to change than our policies.
00:00
Now as I mentioned in the last section, our standards,
00:00
these are going to fill in the details
00:00
to the policy; they are mandatory.
00:00
Whereas I say we're going to backup on a regular basis,
00:00
that might be part of my policy.
00:00
My standard is going to say that we're going to
00:00
backup on a nightly basis.
00:00
We might specifically say we're going to backup
00:00
using McAfee's backup tool or whatever that might be.
00:00
But ultimately, this fills in the details of policy,
00:00
in just like policy standards are mandatory as well.
00:00
Now the procedures are step-by-step instructions.
00:00
We're going to perform backups on a nightly basis.
00:00
On Monday, on Sunday
00:00
>> night maybe we'll do a full backup,
00:00
>> on the remainder of the days of the week,
00:00
we will provide incremental backups.
00:00
We will test the backups for
00:00
completeness once a week or whatever.
00:00
These step by step by step how we're going to do it.
00:00
Our procedures. Now,
00:00
procedures and standards are mandatory.
00:00
Our guidelines are optional.
00:00
These are those things we
00:00
>> should do instead of shall do.
00:00
>> In order to maintain security awareness,
00:00
it's recommended that employees
00:00
attend training classes whenever possible.
00:00
That's a guideline.
00:00
Words like it is suggested or it's
00:00
recommended or whenever possible,
00:00
that's going to help you clue in that it's a guideline.
00:00
This is the only one of those that's not mandatory.
00:00
We have our policies,
00:00
standards that are mandatory,
00:00
or guidelines are not.
00:00
Then the last element here that
00:00
I'll mention are baselines.
00:00
Now, a baseline can be used to couple of
00:00
different ways in the realm of security.
00:00
But here we're going to talk about a baseline as being
00:00
a minimum acceptable security configuration.
00:00
In a particular environment,
00:00
what is the lowest degree of
00:00
>> security that's acceptable?
00:00
>> For instance, I might build
00:00
a baseline image for a system.
00:00
That baseline image might have
00:00
the operating system patched
00:00
>> through the latest version,
00:00
>> security configurations,
00:00
applications installed, unnecessary services removed.
00:00
That's the baseline.
00:00
That's the defacto standard image.
00:00
We push that out maybe to our client systems.
00:00
Remember any changes to
00:00
that baseline image is going to require
00:00
that we go through our change management policy.
00:00
Baselines are also mandatory,
00:00
and we're likely to have baseline configurations
00:00
for each of the major roles
00:00
for the systems in our environment.
00:00
I may have a baseline for my Windows domain controllers
00:00
and a different baseline for
00:00
my Apache web servers or whatever that's going to be.
00:00
But that's the baseline
00:00
is going to mandate the security requirements.
00:00
You might see the baseline reference in things like,
00:00
what would you need to do to make
00:00
a change to a baseline setting?
00:00
Again, that would be following
00:00
security policy by utilizing
00:00
the change management strategy.
00:00
Now, this is a good graphic, I think,
00:00
because it helps put it all together.
00:00
Up at the top,
00:00
these are our elements of strategic focus.
00:00
These are the elements that
00:00
senior leadership is directly involved in.
00:00
Senior leadership or governing entities,
00:00
they're the ones who have to figure out what
00:00
drivers apply to us as an organization.
00:00
Usually that revolves around
00:00
satisfying stakeholder needs.
00:00
Whether our main focus is profit
00:00
or we may be trying to improve customer reputation,
00:00
whatever business objective really
00:00
that's going to be the driver.
00:00
Then we have principles, again broad.
00:00
You could tie this into
00:00
strategy about what we want to accomplish long term.
00:00
Then our policies again,
00:00
usually senior management doesn't
00:00
necessarily write the policies,
00:00
but they have sun off.
00:00
The policies are indicated
00:00
>> to be from senior leadership.
00:00
>> Now, as we get down to the bottom of the pyramid,
00:00
we see the more tactical and even operational elements
00:00
like standards and then guidelines,
00:00
procedures, and baselines.
00:00
The idea is, senior leadership
00:00
gets a policy that we're going to
00:00
protect customer information by
00:00
protecting privacy and having
00:00
strong access control and all these things.
00:00
Senior management's not always going to
00:00
know the technical aspects.
00:00
That comes down to our operations team and
00:00
our more tactical focus for our standards.
00:00
Then of course, procedures,
00:00
guidelines, and baselines,
00:00
that's more in the realm
00:00
of management than it is governance.
00:00
The idea is the basis for
00:00
our security program are
00:00
these sets of administrative controls.
00:00
We started out with policy in the previous section,
00:00
but now in this particular recording,
00:00
we covered standards,
00:00
filling the details;
00:00
procedures, give a step-by-step;
00:00
guidelines give us best practices;
00:00
and baselines are
00:00
the minimum acceptable security
00:00
configurations for our system.
00:00
Next, we're going to move into
00:00
additional elements of our security program.
Up Next