Good information security procedures should:

A.
define the allowable limits of behavior.

B.
underline the importance of security governance.

C.
describe security baselines for each platform.

D.
be updated frequently as new software is released.

Explanation:

Security procedures often have to change frequently to keep up with changes in software. Since a procedure is a how-to document, it must be kept up-to-date with frequent changes in software. A security standard such as platform baselines — defines behavioral limits, not the how-to process; it should not change frequently. Highlevel objectives of an organization, such as security governance, would normally be addressed in a security policy.