Security Policies and Implementation Issues, 3rd Edition by Robert Johnson, Chuck Easttom

Policy framework development is needed for the establishment and ongoing operation of the organization’s security program. It establishes the top leadership’s intent as to how information security should be managed. This program begins with documentation in the form of policies, standards, baselines, procedures, and guidance for compliance. The library of documents is arranged as a hierarchy with the highest level consisting of a charter. The next level includes policies, followed by an increasing number of standard and baseline documents. These documents are supplemented with guidelines to aid in implementation. Finally, many procedure documents that explicitly describe how to implement a security control or process are ...