How to Cheat at Managing Information Security

In the computing and networking worlds, we deal with an area of immense complexity. In managing areas of this complexity, it is often possible to achieve a policy objective in a number of ways. Therefore, for key platforms, you should implement platform security standards that dictate exactly how the policy will be implemented for the specific platform.
Figure 2.3 shows the relationship between policies and standards. Each policy statement is analyzed, and the appropriate Windows, UNIX, or firewall setting is embodied in the baseline, which is then mandated. Good practice settings for technical areas not covered by the policy can be incorporated from manufacturers recommendations and other sources.
For example, remember the following policy statement from earlier:
All servers should be configured with the minimum of services to perform their designated functions.
This would spawn a UNIX security standard containing the following directives:
Inetd.conf should not contain any of the prohibited protocols: ftp, rlogin, telnet.
SSH will be used to replace these protocols.
NFS is banned, so S66NFS should be deleted or disabled.
Sendmail will only be started on designated mail servers.
DNS daemons will only be started on designated DNS servers.
This process is critical. Unless you put the time and effort into this area, you are delegating the implementation of the policy to an engineer. Flatly, it is his or her job, and even if the engineer does implement similar settings that...