I was a guy who hated policies and procedures. I had no use for paperwork. All it does is slow you down. Or so I thought.

After toiling away for decades as a computer security professional, I finally realized that without the appropriate policies and frameworks nothing will ever get done. Anyone can perfectly secure a few computers and devices. I haven’t been exploited in nearly two decades. But you absolutely cannot protect more than a few personal devices, and certainly not an entire company’s computers, for long without the “right” paperwork. I’ve come to appreciate standards, policies, procedures, frameworks, and those who toil to get them right. They really are the true behind‐the‐scenes heroes, and without them we would not be able to make computers significantly more secure.

In this chapter I break down the paperwork that manages computer security into standards, policies, procedures, frameworks, and laws.

Standards

Standards are documented minimum norms, conventions, protocols, or requirements. In the computer security world, standards are often communicated as statements such as the following examples:

• All critical data will be encrypted during transmission and storage.
• Minimum public key cipher key sizes will be 2048‐bit for RSA and Diffie‐Hellman and 384‐bit for ECC.
• Passwords will be a minimum ...