1. Its the managements role to create and edit policies and to make sure the policies are being practiced like they are suppose to.

2. A policy is guidelines or instructions, a standard is a detailed policy, and a practice is putting the standard or policy in use.

3. It must be readily available, it disseminated the document in intelligible, employees must show that they understood the policy, the employees must comply with the policy, the policy must have been applied equally to all employees.

4. It defines purpose, scope, constraints, applicability. Also assigns responsibilities for areas of security. And specifies the requirements by the information security blueprint or framework.

5. It requires frequent updates, and contains a statement on the organization's position on a specific issue.

6. Access control list, it is used as a identifing piece of technology's authorized users and details on privileges and rights that users have on that technology.

7. The champion is the main manager for the technology. The project manager is the one who oversees that policys are being followed.

8. SP 800-14

9. A security blueprint is the basis for the design, selection, and implementation. The security framework is the outline of the overall infosec strategy.

10. It outlines the design and implementation of the infrastructure to make the prosses easier.

11. ISO/IEC 27002

12. THe ISO 27002 is the most widely referenced security models and consist of 12 sections including security policy, asset management, acces control, and compliance among others.

13. It was published as a british standard 7799 and referenced as BS7799 then changed to an international standard and was called ISO/IEC 17799. Revisions eventually gave it the title ISO 27002

14. The documents include SP 800-12, 14, 18, 30, 41, 53. They provice guidelines and baselines for security frameworks

15. Benchmarking is when a business makes a comparison of current practices against other organizations.

16. The spheres of security are the generalized foundation of a good security framework. Its illustrates how info is under attack from a variety of sources. Big companys and small companys can benifit from it. It can be a good visual aid to understand attacks.

17. Defense in depth is where a company impliments layers of security defences. It is often used as extra extra backup to ward off and stop attacks and attackers.

18. Now in this day and age, on the web you can find any and all standards and policys that other companys might use or have used in the past to help an organization develop ideas for there security framework.

19. SETA is security education, training, and awareness program to help people, weather IT profestionals or not, learn more about Information security. Major companys should have SETA programs in place to make sure there company is better prepared for attacks.

20. Contingency planning is planning for the emergencys that might occur to a company such as an outside attack that succeds or a power failer. Routine managemment planning is what happens on a regular basis.