Standards
Standards are documents that many of us are familiar with. They are mid- to low-level documents that state the what of configurations, settings, and intended outcomes. They are used to describe what is and what is not acceptable from an organizational level. Standards are also used to back up the intent of the policy and provide enough detail for someone to write a procedure for performing that task.
A standards document does not detail how to implement something; that is the job of the procedure. A standard is a document that states what is an acceptable approach to a particular job function or configuration setting. In a previous example, we discussed appropriate configuration settings for encryption. For our 100.02 encryption standard, we could state the following:
- Disable TLS versions 1.1 and lower
- Must use FIPS 140-2 encryption standards
- Keys must be newly generated when a key is issued or re-issued due to expiration
- Asymmetric encryption algorithms...
