The secure enterprise must have a defined framework, an administrative control to define and maintain the prudent governance of the organization. This framework must be initiated, driven, and supported by top-level management. The collection of policies, procedures, guidelines, baselines, and standards that document this organizational framework is collectively called the policies of the organization. These policies establish the security posture of the organization and define the framework of the security program for the enterprise. These documents should describe the prudent management of the specialized security concerns of the organization (because no two organizations have the same security concerns) and have integrated ...