To reduce the likelihood of a security failure, the process of implementing security has been somewhat formalized with a hierarchical organization of documentation. Each level focuses on a specific type or category of information and issues.

Now, let’s stitch all the pieces together to view the complete picture.

Case Study: 

• The security policy dictates in general words that the organization must maintain a malware-free computer system environment.
• A standard states in strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions.
• A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. The baseline could be for example a computer fully-patched, with antivirus installed, having virus definitions not older than 7 days from the latest published definitions from the vendor.
• Guidelines could be instructions like:
  • When you receive an email from untrusted or unknown sender, don’t open any attachments in the mail.
  • Use of USB flash memories, hard disks, CD-ROM is prohibited in the organization’s computers.
  • Don’t attempt to disable or hinder the antivirus operation.
• Procedures could be the antivirus installation and configuration steps on network hosts