Security Control Documentation …

To reduce the likelihood of a security failure, the process of implementing security has been somewhat formalized with a hierarchical organization of documentation. Each level focuses on a specific type or category of information and issues.

Now, let’s stitch all the pieces together to view the complete picture.

Case Study: 

  • The security policy dictates in general words that the organization must maintain a malware-free computer system environment.
  • A standard states in strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions.
  • A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. The baseline could be for example a computer fully-patched, with antivirus installed, having virus definitions not older than 7 days from the latest published definitions from the vendor.
  • Guidelines could be instructions like:
    • When you receive an email from untrusted or unknown sender, don’t open any attachments in the mail.
    • Use of USB flash memories, hard disks, CD-ROM is prohibited in the organization’s computers.
    • Don’t attempt to disable or hinder the antivirus operation.
  • Procedures could be the antivirus installation and configuration steps on network hosts

2 thoughts on “Security Control Documentation …

  1. Pingback: Domain 1: Security & Risk Management – mrcissp

  2. Pingback: Enterprise Architecture & Security Control Framework – mrcissp

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.