They are optional and vendor-specific.

They provide specific step-by-step instructions.

They are mandatory and high-level.

They are non-mandatory and flexible.

They are used to create baselines.

They are mandatory and must be followed.

They provide specific vendor instructions.

They are non-mandatory and offer recommendations.

To provide knowledge that may or may not be used.

To change user behavior through understanding.

To ensure compliance with all policies.

To document security procedures.

To ensure they memorize all security policies.

To make sure they attend the training sessions.

To reduce the number of training sessions required.

To encourage active participation and retention.

Encrypting sensitive data.

Implementing firewalls.

Conducting background checks.

Installing antivirus software.

Discuss termination with their colleagues.

Allow them to access data for a grace period.

Turn off their access immediately after termination.

Notify them a week in advance.

To avoid having to conduct background checks.

To allow them unrestricted access to data.

To reduce the cost of security measures.

To ensure they follow the same security standards.