LOGBOOK

HELP

Quiz Entry - updated: 2026.06.04

What are the two components of a System-Specific Security Policy?

Managerial guidance and technical specifications — usually combined in one comprehensive document.

  1. Managerial guidance — details the company's security objectives for the system: how the resource supports business objectives, and how leadership wants it set up and maintained. Example: without managerial guidance for the firewall, the IT administrator chooses settings based on personal knowledge and preferences — with it, configuration follows documented intent.
  2. Technical specifications — the concrete technical implementation: settings, access control lists, configuration rules that realize the managerial intent.

Why the split matters: it separates what and why (management's call — which traffic is business-critical, what risk is acceptable) from how (the engineer's call — rules, syntax, parameters). Auditors love this structure: they can verify the chain business objective → managerial guidance → technical setting.

Tip: ACLs (access control lists) are the textbook example of technical specifications implementing managerial guidance ("only finance accesses the finance share").

From Quiz: ISM / Policies, Concepts & Guidelines | Updated: Jun 04, 2026