Develop clear security policy documentation, including the following:
- Policy. This is the high-level document, often written by the management team. Policy is mandatory. It is purposely vague. For example, a policy might require you to ensure the confidentiality of company data but not specify the method for doing so.
- Standards. These are more descriptive than policies and document the standards to be used by the company for things such as hardware and software. For example, an organization might standardize on virtual machines and not physical servers.
- Procedures. These are the step-by-step documents that detail how to perform specific tasks, such as how to restore a database. The person following the procedure uses the document to perform the task. Procedures are mandatory. If you have a procedure for restoring a database, then that procedure needs to be followed for every database restore.
- Guidelines. These are recommended but optional. For example, your organization might have a guideline that recommends storing passwords in an encrypted password vault. It is a good idea to do that. But somebody might choose to store passwords in their brain or using another secure storage mechanism.
- Baselines. Although baselines are not explicitly mentioned in this section of the exam, don’t forget about them. Baselines automate implementation of your standards, thereby ensuring adherence to them. For example, if you have 152 configuration items for your server builds, you can configure all of them in a baseline that is applied to every server that is built. Group Policy objects (GPOs) are often used to comply with standards in a Windows network. Configuration management solutions can also help you establish baselines and spot configurations that drift away from them.