poliicies and configuration standards

do any of your documented security policies include details on settings for your computers/servers, or do you just apply the policies, and not go to that level of detail in your security policies. ive noticed for many of the security standards such as pci dss that they require "documented policies and configuration standards". i.e "personal firewall sofware is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network"

What do you refer to these documents/policies in your organisation, i.e. those that go down to the specifics of security standards on the various types of device joined to your network.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Muhammad BurhanManager I.T.Commented:
Almost every organization have their own standards regarding Infrastructure  and security.
the best practice is to first secure your intenal organization's network from the outside threats/attacks through firewalls and Anti-Viruses/malware solutions.
firewalls could be a hardware or a software which protect/filter the incoming/outgoing internet traffic.
Antiviruses are also the software which protect Computers individually.
We don't dive down into the details. For example, we have a policy that states that all computers will be protected with an AV product. I don't list what that AV product is because it may change over time or, in our case, we have a different product in use for physical desktops and virtual desktops. We have a policy that talks about using VPN's, but again don't specify what they client ought to be. We don't consider that kind of information pertinent to a policy and it save us from having to remember and republish the policy should we make changes over time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
thats what i assumed would be the case, top level summary of settings, but no real specifics. In terms of the policy that mentioned AV, is that just refererred to as the security policy? Some seem to have a server hardening/management policy, desktop hardening/management policy etc.
Each environment would be different, but in ours, yes, that's a security policy. We're a medical facility and so I have a whole group of policies that are HIPAA related. Then I did a security policy manual based on what I found some other institutions had done. There is some overlap in the policies, but that's OK. We have the security policies divided into 6 different areas:  Use and Access, Protection, IT Management, Privacy, Infrastructure and Misc.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.