Examples of Aegis Policies
Depending on the admeasurement of the organization, potentially dozens of aegis action capacity may be appropriate. For
some organizations, one ample certificate covers all facets; at added organizations, several smaller, individually
focused abstracts are needed. The sample account that follows covers some accepted behavior that an organization
should consider.
Acceptable use: This action outlines the adequate use of computer equipment. The rules are
established to assure the agent and the organization. Inappropriate use exposes the aggregation to risks
including virus attacks, accommodation of arrangement systems and services, and acknowledged issues.
Ethics: This action emphasizes the employee's and consumer's expectations to be accountable to fair business
practices. It establishes a ability of openness, trust, and candor in business practices. This action can
guide business behavior to ensure ethical conduct.
Information sensitivity: This action is advised to advice advisers actuate what advice can be
disclosed to nonemployees, as able-bodied as the about acuteness of advice that should not be disclosed
outside an alignment after able authorization. The advice covered in these guidelines includes
but is not bound to advice that is either stored or aggregate via any means. This includes electronic
information, advice on paper, and advice aggregate orally or visually (such as by telephone, video
conferencing, and teleconferencing).
E-mail: This action covers adapted use of any e-mail beatific from an organization's e-mail abode and
applies to all employees, vendors, and agents operating on account of the company.
Password: The purpose of this action is to authorize a accepted for conception of able passwords, the
protection of those passwords, and the abundance of change.
Risk assessment: This action is acclimated to empower the Advice Aegis (InfoSec) accumulation to perform
periodic advice aegis accident assessments (RA) for the purpose of free areas of vulnerability
and to admit adapted remediation.
Tip
Examples of behavior listed ahead and added templates can be begin at the SANS website:
https://www2.sans.org/resources/policies/#template
Note
Policies charge to be concise, to the point, and accessible to apprehend and understand. Best behavior listed previously
are on boilerplate two to three pages.
Standards
Standards are industry-recognized best practices, frameworks, and agreed attempt of concepts and designs,
which are advised to implement, achieve, and advance the appropriate levels of processes and procedures.
Like aegis policies, standards are cardinal in attributes in that they ascertain systems ambit and processes.
Standards alter by industry. There are two notable standards in aegis advice management—ISO 17799
and COBIT. These are discussed in Chapter 25, "Security Framework and Regulatory Compliance."
Procedures
Procedures are low-level abstracts accouterment analytical instructions on how the aegis action and the
standards are to be implemented in a system. Procedures are abundant in attributes to accommodate maximum
information to users so that they can auspiciously apparatus and accomplish the aegis action and administer the
standards and guidelines of a aegis program.
Employees usually accredit to procedures added generally than added behavior and standards because procedures provide
the complete capacity of the accomplishing appearance of a aegis program.
Baselines
A baseline is the minimum akin of aegis claim in a system. Baselines accommodate users the agency to
achieve the complete minimum aegis appropriate that is constant beyond all the systems in the organization. For
example, a aggregation ability accept a baseline for Windows 2000 servers to accept Service Pack 4 installed on each
server in the assembly environment. The action certificate would supplement the baseline by spelling out
step-by-step instructions on area to download Service Pack 4 and how to install it to accede with this security
level.
Guidelines
Guidelines are recommended accomplishments and operational guides for users. Similar to procedures, guidelines are
tactical in nature. The above aberration amid standards and guidelines is that guidelines can be acclimated as
reference, admitting standards are binding accomplishments in best cases.
Figure 1-3 depicts the axiological accord amid aegis policies, standards, baselines, guidelines, and
procedures.
Figure 1-3. Relationships Amid Aegis Policies, Standards, Procedures, Baselines, and Guidelines