A standard is somewhat more detailed than a policy.
Standards describe how to comply with the policy, and because they are
associated with policies, they should be considered mandatory. Standards are
the extension of the policy into the real world—they specify technology
settings, platforms, or behaviors. Security managers
responsible for IT infrastructure will usually spend more time writing
standards than they spend on policy.
Much of the information contained in this
book pertains to settings for Unix and Windows systems. Those settings would
typically be the level of detail that is included in standards. Compare the
information in those chapters against the set of policy statements listed in
the previous section of this chapter. You’ll see that policy statements are
simple, direct, and somewhat general. Standards interpret the policy to the
level of specifics needed by a subject matter expert.
No comments:
Post a Comment