Detailed Actions for Personnel Compliance

C.

Procedures are step-by-step instructions in support of of the policies, standards, guidelines and baselines.

The procedure indicates how the policy will be implemented and who does what to accomplish the tasks." Standards is incorrect.

Standards are a "Mandatory statement of minimum requirements that support some part of a policy, the standards in this case is your own company standards and not standards such as the ISO standards" Guidelines is incorrect.

"Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions." Baselines is incorrect.

Baselines "are a minimum acceptable level of security.This minimum is implemented using specific rules necessary to implement the security controls in support of the policy and standards." For example, requiring a password of at leat 8 character would be an example.Requiring all users to have a minimun of an antivirus, a personal firewall, and an anti spyware tool could be another example.

References: CBK, pp.

12 - 16

Note especially the discussion of the "hammer policy" on pp.

16-17 for the differences between policy, standard, guideline and procedure.

AIO3, pp.

88-93.

In the field of security administration, standards, guidelines, procedures, and baselines are four common terms used to describe different types of policies and documents that govern the behavior and actions of personnel.

Standards are generally high-level statements that describe what should be achieved or maintained in terms of security. They provide a framework for security practices and help ensure that organizations comply with industry best practices and regulations. Standards are usually developed by industry organizations, government bodies, or standards-setting bodies, and they are often voluntary. Examples of security standards include ISO/IEC 27001, NIST SP 800-53, and PCI DSS.

Guidelines are documents that provide recommendations or best practices for personnel to follow. Unlike standards, guidelines are not mandatory, but they serve as a useful reference for personnel who need to make decisions or take action. Guidelines are typically developed by organizations or industry bodies and can cover a wide range of topics, such as password management, email security, and incident response.

Procedures are detailed step-by-step instructions that describe how specific tasks should be carried out. Procedures are often used for routine tasks that need to be performed consistently and accurately. They provide a structured approach to completing tasks and ensure that personnel follow established best practices. Procedures are typically developed by organizations and are often mandatory. Examples of security procedures include access control procedures, incident response procedures, and backup and recovery procedures.

Baselines are typically used to establish a minimum level of security for systems, applications, or networks. They define a set of security controls or configurations that must be implemented in order to meet a specific level of security. Baselines are often used as a starting point for more specific security policies and procedures. They are typically developed by organizations and may be based on industry standards or best practices.

In the context of the question, the answer that embodies all the detailed actions that personnel are required to follow is C. Procedures. Procedures provide detailed instructions that specify how tasks should be carried out and ensure that personnel follow established best practices. Standards, guidelines, and baselines may provide useful context or requirements for procedures, but it is the procedures themselves that provide the detailed actions that personnel are required to follow.