CHAPTER 13 Policies, Standards, and Guidelines

Introduction

In earlier chapters, we took a broad look at the hazards and challenges organizations face when their businesses depend on data networks. Whether a government agency or private firm, all organizations face similar security challenges – how to best protect assets without impairing productivity and the bottom line. We also looked at various protective measures to protect assets, primarily performed by trained system administrators. We also looked at recommended procedures for reacting to adverse events, thereby controlling damage and minimizing the impact upon the organization.

In this chapter, we will step away from the technical world and discuss administrative mechanisms available to security analysts and system administrators. These mechanisms allow security administrators to guide the behaviors of IT users in the organization in a manner that reduces easily avoidable security hazards. Without these mechanisms, system administrators would spend enormous amounts of time fixing security problems that should not have occurred in the first place, at significant costs to the organization.

At the end of the chapter, you should be able to:

• Understand the difference between security and compliance requirements
• Distinguish between policies, standards, and procedures
• Understand the life cycle of a policy
• Identify a set of policies considered “a must” for any organization

Guiding principles

The administrative mechanisms used ...