Security Policy Framework
The term Information security policy is often misused and is used as a term to provide high-level guidance for an organization to the configuration of an IT component. Designing security documentation this way if not functional as high level security documentation cannot be treated in the same way as technical requirements.
In Security Bastion’s Body of Knowledge material security documentation is described in three layers: information security policy, operational security standards, security processes and procedures and security baseline standards. This provides a basis for a set of security documentation or a documentation framework.
Figure 17: Security Documentation Framework
<graphic – Table of document examples>
Security Processes, Procedures and Work Products
<graphic – Security Processes, Procedures and Work Instructions >