
Administrative Data Gathering ◾ 185
© 2011 by Taylor & Francis Group, LLC
(or requirements) on how to implement the policy statements. See the example in
Table6.14.
Not all security policies are expected to have associated security procedures.
For example, the acceptable-use policy typically has no need for more detailed
procedures implementing the policy. However, policy statements covering system
hardening, account creation and termination, and incident tracking and reporting
could certainly use more detailed description of how the policy statement will be
enforced.
6.2.1.3.4 Security Awareness Training Review
e security risk asses ...