52 Security De-engineering
Most rms these days have a baseline information security stan-
dard that is something like the ISO 27001/2 standards, which specify
at a low level of detail what an organization needs to cover and then
how to implement the standard as a living process. Having developed
their own version of this standard and called it a “baseline standard,”
they will ask senior management to sign o on this document, thereby
making it a binding resolution that a security department can use to
terrorize every other department in the company.
From the baseline standard, other more detailed standards and
guidelines are formulated that link back to the baseline. For example,
the baseline standard will state that all computing devices ...