Considerations For Interpreting A Security Policy

By Author: unknownmem
Total Articles: 128
Comment this article

You might not be able to apply every security policy by using security 70-291 templates, but you can apply some. Likewise, you want to be sure that nothing you implement in a security template violates security policy. For these reasons, you should examine the security policy and, where possible, map policy to templates.
Written security policies do not usually include exact parameters. They do not, for example, usually specify products or indicate exactly which user accounts can read and write files and registry keys. You will not find many references that you can directly plug into the template. Instead, your written security policy must be inter-preted according to the current technology. The organization usually produces "written guidelines, which suggest the current interpretation or how to interpret the guidelines, and procedures, which specify the exact steps taken to perform IT-related tasks.

For example, the security policy might state that data owners—those responsible for file content—have the right to decide who can read, write, or do both to the ...
... files. Guidelines might identify how data ownership is determined and where that informa-tion can be found. Procedures specify how to take that information and use the current technical controls to enforce the MCITP study guides free download specifications. The current procedures in your organization might detail how to change the security permissions on NTFS-based files and folders. For all portions of the template, review the security policy, guidelines, and procedures so that you can use them to complete the template or at least to pre?vent creating a security template that violates the organization's security policy.
As you begin to interpret your security policy and apply it to the baseline security tem?plate, think about the topics in the following sections.

Most written security policies are vague, but the password policy is typically an exception. Authentication is such an important facet of IT security that a written security policy might specify the exact length of the password, when it must be changed, and so on. If this information is present in your security policy, you must consider how it will affect the baseline security template. Password policy for domain accounts is configured in the default domain GPO. If a password policy is defined in a GPO linked to any other location, it will affect only the local accounts of the computers that apply the GPO. This means that only users who use local accounts to authenticate will be affected by the policy in the GPO. It does not mean, however, that you should ignore the password policy free Network+ study guides part of the baseline security template.