Gathering and documenting your Windows desktop security policies

Before you start assigning policies, you need to know where your business is at risk. Enacting policies that are good in name only is wasting time. It could even get your organization into hot water by presenting false information on what you are doing. Based on the outcome of your information risk assessment, on both technical and operational issues, you will likely need the following desktop-centric policies:

• Change Management
• Mobile Device Synchronization and Handling
• Patch Management
• Remote Access
• Removal of Computer Equipment
• Security Testing
• Security Awareness and Training
• System Logging and Monitoring
• User Authorization
• Wireless Networks

The next step is ...

RELATED CONTENT Windows desktop security tips Mobile client security threats shouldn't be underestimated Securing removable drives with BitLocker To Go Five network security resolutions for 2010 What can Windows 7's AppLocker do for you? New year begins with a light Patch Tuesday Top 5 registry keys for Windows 7 Desktop security predictions for 2010 Group policy tricks to secure network endpoints The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

to determine what needs to be documented. Take some time to think through the security issues related to managing your desktops, and start putting together your minimum security standards and necessary policies. This isn't something, however, that you should take on by yourself. If you work for a relatively small organization where you are the chief cook and the bottle washer when it comes to IT, security and compliance, talk these things over with someone in management. If you are in a larger organization, this type of security standardization and policy development should be handled by a security, compliance or IT governance committee. It likely won't work any other way.

Once you are ready to write out what you expect, I highly recommend bringing some formal structure to your security policy documents. The following security policy template has been shown to work well:

• Introduction: An overview of what you're covering, such as patch management, malware protection, system maintenance and monitoring, vulnerability testing and so on.
• Purpose: The high-level goal(s) and strategy of the policy.
• Scope: The systems (i.e., desktops, all Windows systems, office applications, etc.), users and departments that are covered.
• Exceptions: Specific systems (i.e., Windows XP and older systems), users and departments that are not covered by the policy.
• Roles and responsibilities: The people involved and what's expected of them in support of the policy.
• Policy statement: A place to state your actual policy. Be sure to make it clear that "this is how we do things here".
• Procedures: Detailed steps that outline how you're actually carrying out the policy and how it's being enforced. You might want to consider documenting your procedures in a separate document if they are more than a few sentences in length.
• Compliance metrics: The procedures and means used to measure compliance with the policy.
• Review and evaluation: When the policy will be reviewed and evaluated for accuracy, applicability, etc.
• Sanctions:Specific consequences for policy violations, such as, "X will happen on the first offense, Y for second offense, and Z for the third offense". (This is where the value of having a security committee, or at least management buy-in and support, becomes obvious.)
• References: Laws, regulations, and frameworks, such as state breach notification laws, HIPAA, PCI DSS, ISO/IEC 27002 and so on.
• Related documents: Other policies, guidelines, standards (such as the ones I've mentioned previously) and documents that pertain to the policy.
• Revisions: The ongoing changes to the policy document (i.e., who, what, when, why).
• Notes: Notes, findings, lessons learned, etc., that can help with future policy management.

The bottom line with security policies is to make them simple yet concise, outline what's expected and keep everyone informed. Also, don't forget to make sure they're actually enforced. The most important thing of all, however, is to just get rolling. If you're diligent and disciplined, you can build out your desktop security-related documentation in no time. You'll have the essentials in place, and you'll be ready to take on any new desktop software that comes your way.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.