Procedures are the how to do something. We take the requirements which come from standards and we write up how to implement them. Procedures must also be written in such a way that junior analysts can take the document and implement the control with little to no assistance.
Would someone on your team know how to perform your job functions if you were to win the lottery? Procedures must be written in such a way as to allow for this. A procedure is a step-by-step document that depicts how to implement a technology.
How it differs from a standard
While standards state what to configure, a procedure states how to implement it. Taking from the encryption examples we discussed in the standards section, we want to encrypt hard drives using BitLocker. The standard will tell you that we use the default settings when activating BitLocker, whereas the procedure will tell you to right-click on the hard drive icon and select BitLocker.
The need for an NDA
Procedures must require an NDA to share with other 3rd parties or external vendors. If an adversary were to gain access to your incident response procedures, they would know exactly how the organization intends to respond. This could mean the adversary has the upper hand in knowing the internal workings of a CERT.
NDA’s are meant to help protect you from information leakage. By placing trust in the other party through a signed NDA, you can safely share these documents with others. It also provides additional protections in that it prevents others from sharing your information. If an entity were to be found violating such an agreement, it would allow your organization legal action against that 3rd party.
How to write a procedure
Again, procedures are low-level documents that provide step-by-step instructions on how to install, configure, and maintain a piece of technology. Documents can also be written for how to decommission a technology or respond to an incident.
These documents must also be written to not leave anything to chance. Often times we take for granted on how to do a particular job role. Procedures should not leave steps out or it could lead to the misconfiguration of a system or an inability to set up an IT resource at all. A procedure must be written to include every step in the process. Even if clicking on a link may seem self-explanatory, to the junior systems admin it may not be clear to do so.