do any of your documented security policies include details on settings for your computers/servers, or do you just apply the policies, and not go to that level of detail in your security policies. ive noticed for many of the security standards such as pci dss that they require "documented policies and configuration standards". i.e "personal firewall sofware is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network"
What do you refer to these documents/policies in your organisation, i.e. those that go down to the specifics of security standards on the various types of device joined to your network.