Domain 1 of 8 · Chapter 6 of 12

Security Documentation

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The documentation hierarchy: one model for five document types
  • Each document type defined, with its tell
  • Why altitude and force are separate axes
  • Exam-pattern recognition: classify the document, pick the right move

The five security-documentation types: altitude, force, and example

Document typeMandatory?Altitude / answersTypical content example
PolicyMandatoryHighest; the "what" and "why" (management intent, technology-neutral)"All portable devices storing company data must be encrypted."
StandardMandatorySpecific requirement; the named "with what""Use AES-256 full-disk encryption with a centrally escrowed key."
BaselineMandatoryMinimum acceptable configuration; the "at least this""Every server must meet the CIS Level 1 hardening benchmark."
ProcedureMandatoryExact ordered steps; the "how, step by step""Steps 1-11 to enable and verify disk encryption on a new laptop."
GuidelineDiscretionaryRecommendation; the optional "how you might""You should consider rotating recovery keys each quarter."

Decision tree

Is it mandatory?must comply, no exceptionNoYesGuidelineBroad, technology-neutral intent?what / why, names no productYesNo (specific)PolicyOrdered step-by-step how?numbered steps for one taskYesNoProcedureA required minimum floor?at least this configurationYesNoBaselineStandard

Cheat sheet

  • Standards, baselines, and procedures are mandatory; only guidelines are discretionary
  • Policy is high-level and technology-neutral: it states what and why, never how
  • A standard mandates uniform use of a specific technology or parameter
  • A baseline is the mandatory minimum configuration a system must meet
  • A procedure is the mandatory, ordered step-by-step that implements a standard
  • A guideline recommends with should, not must
  • The documents derive top-down: policy first, then standard/baseline, then procedure
  • Specificity is altitude; obligation is force, and they are independent
  • NIST sorts policy into program, issue-specific, and system-specific types
  • Issue-specific policy must be reviewed regularly because technology changes
  • Program policy covers purpose, scope, responsibilities, and compliance
  • High-level policy authorizes a compliance structure rather than listing every penalty
  • Organizational standard means internal, not a FIPS or ISO standard
  • A bundled security manual still classifies statement by statement
  • CIS Benchmarks and DISA STIGs are the standard hardening baselines
  • A baseline configuration changes only through change control and is held by continuous monitoring

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-12 Rev. 1, An Introduction to Information Security (Ch. 5, Information Security Policy) Whitepaper