Guidelines  are  often  helpful  to  assist  users  in  following  the
            standards  and  procedures.  While  guidelines  themselves  are
            recommendations  (policy, procedures, standards, and baselines
            are  mandatory),  a  guideline  is  an  excellent  way  to  help  users
            understand how to meet requirements. Guidelines, for example,
            may describe how to create a good password, or other suitable
            security practices and behaviors.

            The security program must be documented, and the documents
            keep up to  date, to  ensure that  everyone is  familiar with  their
            responsibilities and to allow auditors the opportunity to review
            compliance  with  the  security  program.  The  documents  should
            outline  the  correct  procedures  and  requirements  and  detail  the
            steps necessary to be compliant with the security controls.

            Controls are to be based on risk, and therefore, there should be a
            clear alignment between the control and the risk that the control
            is mitigating. Education on the purpose of control and the risk that
            it is intended to address may also encourage compliance with the
            control and greater acceptance of the control.



            Important Procedures


             Control Monitoring and Reporting

            With  careful  design  and  implementation,  an  organization  may
            deploy a good security program, but the risk is that, over time, the
            security controls may become ineffective. Changes may happen
            in networks or applications that bypass the controls, the users may
            stop following procedures correctly, or administrators may take
            shortcuts. This is why it is important to monitor security controls
            regularly. Monitoring the controls, including tracking KPIs and