Which of the following best describes the role of guidelines in an organization's security governance?
Recommendations that are not mandatory but help to guide actions and operational procedures
Regulations imposed by external bodies that an organization must legally comply with
Mandatory rules that specify minimum acceptable levels of security for products, actions, or systems
Detailed, step-by-step instructions on how to perform specific tasks or operations