Quiz Entry - updated: 2026.06.04
What are the two components of a System-Specific Security Policy?
Managerial guidance and technical specifications — usually combined in one comprehensive document.
- Managerial guidance — details the company's security objectives for the system: how the resource supports business objectives, and how leadership wants it set up and maintained. Example: without managerial guidance for the firewall, the IT administrator chooses settings based on personal knowledge and preferences — with it, configuration follows documented intent.
- Technical specifications — the concrete technical implementation: settings, access control lists, configuration rules that realize the managerial intent.
Why the split matters: it separates what and why (management's call — which traffic is business-critical, what risk is acceptable) from how (the engineer's call — rules, syntax, parameters). Auditors love this structure: they can verify the chain business objective → managerial guidance → technical setting.
Tip: ACLs (access control lists) are the textbook example of technical specifications implementing managerial guidance ("only finance accesses the finance share").