Developing Policies, Standards, and Guidelines – CompTIA Security+ Lesson 2

The first step in the process of implementing and maintaining secure network(s) is to use/ create policies, standards, and guidelines.

Policies and guidelines set a standard of expectation in an organization. Think of policies as providing high- level guidance on big issues. Standards define what should be expected or what the norm is. And guidelines provide advice/ instructions on hot to accomplish a given task/ process/ activity.


Policies are used to tell the users of a network/ people in an organization what behaviour is expected from them and they outline the consequences when they aren’t followed. A policy should contain the following aspects:

Scope Statement What the policy intends to accomplish. Lists related documents, laws and practices (the base of the policy)
Overview Statement The Goal of the policy, why it’s important and how to comply with it
Statement The Substance of the policy. Can be a paragraph, a list or a checklist, dependent on the target audience and its nature. (eg. Checklist for how to securely lock doors after workhours)
Accountability Statement Addresses who is responsible for ensuring that the policy is enforced. Also should list who to contact if a problem is discovered and the consequences of not complying with the policy.
Exception Statement How to deviate from the policy in eventualities that are not foreseen in the policy. Can additionally contain an escalation contact.

Business Policies to Implement

Business policies address organizational and departmental business issues. These should be the ones you consider implementing.

Separation of Duties Policies

Basically this policy is to avoid fraud and other losses by requiring more than one person to accomplish key processes. Many banks require multiple steps and approvals to transfer money. This should reduce the likelihood of fraud, because you cannot do it alone, you’d have to get a group of people to do it. Which is less probable.

Privacy Policies

What is going to happen with the data. What information does the company collect, what options are there, sharing of the data with other parties, security measures and enforcement. A great example is Googles privacy policy.

Acceptable Use Policies

This policy defines how the employees can use company systems and resources, as well as the consequences for misues. Portable devices such as USB- Flashdrives or smartphones should also be considered in this policy. Cloud drives are also “portable devices”.

Security Policies

Defines what controls are required to implement and maintain security. This policy should be used as a guide in system implementations and evaluations.

Mandatory Vacations Policies

There should be a requirement for all workers to take a vacation. This makes sure the company doesn’t become too dependent on one person and can be used as an opportunity to discover fraud.

Job Rotation Policies

It’s used for similar reasons as the one above, except the workers don’t get to fly to hawaii, they just change seats with a collegue from an other department. Depending on skills.

Least privilege Policies

Should be used when assigning permissions. Give users only the permissions that they need to do their work. Not more.


Standards deal with specific issues or aspects of a business. It states what normally would happen if you perfom an action or activity and should have enough detail that an audit could be perfomed. Kinda like Unit- Testing for real life scenarios. They should consist of:

Scope And Purpose Explains or describes the intention
Roles And Responsibilities Section that determines who is responsible for what. It should be clear who is responsible to accomplishing which tasks
Reference Documents Relation to organization policies, laws and other important documents
Performance Criteria Outlines how to accomplish the task. Should have a baseline and technology standards. (eg. information about the the plattforms and technologies -> What OS will be installed, type of computer used, etc…)
Maintenance and Administrative Requirements These standards outline what is required to manage the systems or network. (eg. How many time should passwords be changed for administration users)


Guidelines are less formal than the two above. The goal is to “teach” users how to do certain tasks. I  think they’re more of a handbook or instruction, that strictly helps users implement and maintain standards. The minimum content of a guideline should be:

Scope And Purpose Overview and statement of the guideline’s intent
Roles And Responsibilities Section that determines who is responsible for what. It should be clear who is responsible to accomplishing which tasks
Guideline Statements Mostly step-by-step instructions on how to accomplish a specific task
Operational Considerations A list that could include daily, weekly and monthly tasks.

Advantages of guidelines:

  • They will help refresh memory of experienced support and security stuff for tasks that are rarely done
  • New users will have a reduced learning curve
  • Let you keep your cool in hot situations