Policies standards procedures and guidelines_Mastering Windows Security and Hardening-QQ阅读男生武侠网

书名：Mastering Windows Security and Hardening
作者名：Mark Dunkerley Matt Tumbarello
本章字数：1040字
更新时间：2021-06-18 18:37:58

Policies, standards, procedures, and guidelines

A follow-on to the previous section is policies, standards, procedures, and guidelines. This section works hand-in-hand with baselining and holds extreme importance within an organization. It is critical that as part of your security program well-defined policies, standards, and procedures are in place and are followed by everyone. In addition, it is important that policies are signed off on and enforced by leadership. Without this support, it becomes more difficult to enforce and collectively get behind security from an organizational level.

Start by defining and creating your company policies. As a result, your standards can then be built to form the foundation of your baselines. Once these baselines are created, procedures and guidelines can be built to implement the baselines and help accomplish the end goal. Keeping this strategy in mind will drive compliance with your company policies.

The following section provides a brief overview of policies, with recommendations of policies, standards, procedures, and guidelines.

Defining policies

A security policy is the first level of formalized documentation for your organization's security program and is mandatory. Policies are a critical component of your overall security program and require sign-off and support from the leadership team to ensure success. Policies should be very broad and general with no direct tie to the technology or solutions within the organization. In general, they should not change often but periodic review is critical. Some examples of policies may include an acceptable use policy, a change management policy, a disaster recovery policy, a privacy policy, an information security program policy, and so on.

If you don't have any policies in place that relate to your Windows security, it is highly recommended that you begin with some basics. The following, as a minimum, should be included to secure your devices and should be referenced in a policy:

Security updates
Encryption
Firewall
A password policy, multi-factor authentication (MFA), and biometrics
A local administrative access strategy
Security protection tools and antivirus
Compliance and protection policies
Data loss prevention and information protection

An example of a policy may include one that requires all systems to be kept up to date with the most recent security updates.

Next, let's look at setting standards to follow the defined policies.

Setting standards

Standards follow policies as they define the specifics of each policy and are mandatory. They provide the direction needed to support the policies. Standards help enforce consistency throughout an organization and provide specifics on the technology to be deployed.

The following are examples of standards for the recommended items listed in the previous section:

All Windows 10 workstations will be configured using Windows Update for Business and Windows servers will use Windows Server Update Services (WSUS) or Azure Update Management. Update schedules will be defined and documented by the business use case.
All Windows servers and end user workstations will be encrypted using BitLocker and/or Azure Disk Encryption.
The Windows firewall will be enabled and configured on all Windows end user devices and servers. Connection rules will be documented.
PINs and biometrics with Windows Hello will be set up and accounts will be required to use a password with a minimum of 12 characters. Passwords must contain lowercase, uppercase, numerical, and special characters and will be required to be changed annually.
MFA will be required for all users accessing the corporate environment and resources.
There will be no standard user accounts assigned with local admin access on any Windows device.
All Windows end user devices and servers will have Windows Defender Advanced Threat Protection (ATP) applied to them.
Compliance policies for conditions such as device risk and a minimum OS version will be assigned and enforced with Conditional Access on Windows devices
Unified labeling with data loss prevention and information protection will be deployed to all Windows end user devices.

Next, let's look at building procedures to define a set of instructions used to accomplish tasks.

Creating procedures

Procedures are the step-by-step instructions used to accomplish a repeatable task or process. These instructions are intended to achieve a specific goal and assist with implementing the defined policies and standards, as well as any guidelines that may apply. Procedures can change frequently as software versions change, hardware is replaced, and so on. To help become better organized at following procedures, you may want to look at a third-party tool to help. One example is a tool known as Nintex Promapp, which helps document and share your organization processes. It can be found at https://www.promapp.com/.

An example of a procedure is as follows:

Deploy a new device with Windows 10.
Ensure the device is connected to the internet.
Validate the device configurations, that applications have been installed, and so on.
Check that the device is compliant.

Finally, let's look at creating guidelines to act as recommended best practices.

Recommending guidelines

Guidelines provide recommendations or best practices and are not mandatory requirements. They can be complementary controls, in addition to standards, or even provide guidance where a standard may not apply.

An example of a guideline may include ensuring that you save and close all documents and programs before rebooting after receiving the latest Windows updates.

Although they are not mandatory, guidelines provide a lot of value to users to help them be more productive with technology. When building guidelines, it's important to think about how to efficiently make the guidelines visible and accessible to users. An effective communication plan is critical in order to ensure users read and use the guidelines. The following is five ideas to help with communicating your guidelines:

Build a theme around your guideline communications—for example, smart tech guidelines.
Insert a section of the guidelines in the company newsletters and/or communications.
Link your guidelines back to a central repository for users to come back to and access.
Keep your guidelines short and to-the-point.
Make your guidelines relevant to both professional and personal usage.

The following diagram illustrates a hierarchy of policies, standards, procedures, and guidelines, as well as highlights where baselines fall within the model:

Figure 2.1 – Policies, standards, procedures, guidelines, and baselines

In the next section, we will provide an overview of the change management process. It's important to follow a change control process whenever implementing change in the environment.