Page 102 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 102
individuals. Instead of assigning tasks and responsibilities to a
person, the policy should define tasks and responsibilities to fit a
role. That role is a function of administrative control or personnel
management. Thus, a security policy does not define who is to do
what but rather defines what must be done by the various roles
within the security infrastructure. Then these defined security roles
are assigned to individuals as a job description or an assigned work
task.
Acceptable Use Policy
An acceptable use policy is a commonly produced document that
exists as part of the overall security documentation infrastructure.
The acceptable use policy is specifically designed to assign security
roles within the organization as well as ensure the responsibilities
tied to those roles. This policy defines a level of acceptable
performance and expectation of behavior and activity. Failure to
comply with the policy may result in job action warnings, penalties,
or termination.
Security Standards, Baselines, and Guidelines
Once the main security policies are set, then the remaining security
documentation can be crafted under the guidance of those policies.
Standards define compulsory requirements for the homogenous use of
hardware, software, technology, and security controls. They provide a
course of action by which technology and procedures are uniformly
implemented throughout an organization. Standards are tactical
documents that define steps or methods to accomplish the goals and
overall direction defined by security policies.
At the next level are baselines. A baseline defines a minimum level of
security that every system throughout the organization must meet. All
systems not complying with the baseline should be taken out of
production until they can be brought up to the baseline. The baseline
