ABSTRACT
Once you have established your strategy, you need to codify it into your corporate security policies. As most good security texts will tell you, a security policy describes the “what.” What does the organization need to do to maintain security? Policies are fairly high level, providing broad statements that indicate direction, without really providing usable detail. This is where standards come in. Standards are much more detailed and describe the “how.” How will you harden your border routers and Windows servers? How will you name users? Standards can be technology specific (e.g., hardening or encryption standards), or they can be technology agnostic (e.g., authorization or password management).
