Page038
Standards
A standard describes the specific use of technology, often applied to hardware and software. “All employees will receive an ACME Nexus-6 laptop with 16 gigabytes of memory, a 4.0 GHZ CPU, and one-terabyte disk” is an example of a hardware standard. “The laptops will run Windows 11 Professional, 64-bit version” is an example of a software (operating system) standard.
Standards are mandatory. They lower the Total Cost of Ownership of a safeguard. Standards also support disaster recovery. Imagine two companies in buildings side by side in an office park. Both have 1000 laptops in each building.
One company uses standard laptop hardware and software. The laptop operating system is installed from a central preconfigured and patched image. The standard operating system has preconfigured network file storage, all required tools, and software preinstalled, and preconfigured antivirus and firewall software. Users are forbidden from installing their own applications.
The other company does not employ standards. The laptop hardware is made by a variety of vendors. Multiple operating systems are used, at various patch levels. Some use network storage; others do not. Many have applications installed by end-users.
Which company will recover more quickly if the buildings burn down? The first company needs to buy 1000 identical laptops, recover the OS image and imaging software from offsite storage, configure an imaging server, and rebuild the laptops. Not easy, but doable. The second company’s recovery will be far more difficult, and more likely to fail.
Guidelines
Guidelines are recommendations (which are discretionary). A guideline can be a useful piece of advice, such as “To create a strong password, take the first letter of every word in a sentence, and mix in some numbers and symbols. ‘I will pass the CISSP® exam in 6 months!’ becomes ‘Iwptcei6m!’ ”
You can create a strong password without following this advice, which is why guidelines are not mandatory. They are useful, especially for novice users.
Baselines
Baselines are uniform ways of implementing a standard. “Harden the system by applying the Center for Internet Security Linux benchmarks” is an example of a baseline (see https://www.cisecurity.org/cis-benchmarks/ for the Security Benchmarks division of the Center for Internet Security; they are a great resource). The system must meet the baseline described by those benchmarks.
Baselines are discretionary: it is acceptable to harden the system without following the aforementioned benchmarks, as long as it is at least as secure as a system hardened using the benchmarks. Formal exceptions to baselines will require senior management sign-off.
Table 2.3 summarizes the types of security documentation.
| Document | Example | Mandatory or discretionary? |
|---|---|---|
| Policy | Protect the CIA of PII by hardening the operating system | Mandatory |
| Procedure | Step 1: Install pre-hardened OS image. Step 2: Download patches from update server. Step 3: ... | Mandatory |
| Standard | Use Nexus-6 laptop hardware | Mandatory |
| Guideline | Patch installation may be automated via the use of an installer script | Discretionary |
| Baselines | Use the CIS Security Benchmarks Windows Benchmark | Discretionary |