Employees usually refer to procedures more often than other policies and standards because procedures provide
the actual details of the implementation phase of a security program.
Baselines
A baseline is the minimum level of security requirement in a system. Baselines provide users the means to
achieve the absolute minimum security required that is consistent across all the systems in the organization. For
example, a company might have a baseline for Windows 2000 servers to have Service Pack 4 installed on each
server in the production environment. The procedure document would supplement the baseline by spelling out
step-by-step instructions on where to download Service Pack 4 and how to install it to comply with this security
level.
Guidelines
Guidelines are recommended actions and operational guides for users. Similar to procedures, guidelines are
tactical in nature. The major difference between standards and guidelines is that guidelines can be used as
reference, whereas standards are mandatory actions in most cases.
Figure 1-3 depicts the fundamental relationship among security policies, standards, baselines, guidelines, and
procedures.
Figure 1-3. Relationships Among Security Policies, Standards, Procedures, Baselines, and Guidelines
Security Models
An important element in the design and analysis of secure systems is the security model, because it integrates
the security policy that should be enforced in the system.
Pages:
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59