To reduce the likelihood of a security failure, the process of implementing security has been somewhat formalized with a hierarchical organization of documentation. Each level focuses on a specific type or category of information and issues.

Now, let’s stitch all the pieces together to view the complete picture.
Case Study:
- The security policy dictates in general words that the organization must maintain a malware-free computer system environment.
- A standard states in strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions.
- A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. The baseline could be for example a computer fully-patched, with antivirus installed, having virus definitions not older than 7 days from the latest published definitions from the vendor.
- Guidelines could be instructions like:
- When you receive an email from untrusted or unknown sender, don’t open any attachments in the mail.
- Use of USB flash memories, hard disks, CD-ROM is prohibited in the organization’s computers.
- Don’t attempt to disable or hinder the antivirus operation.
- Procedures could be the antivirus installation and configuration steps on network hosts
Pingback: Domain 1: Security & Risk Management – mrcissp
Pingback: Enterprise Architecture & Security Control Framework – mrcissp