Refer to the information below to answer the question.

The best place to specify the permitted access for each department and job classification combination is the security standards. Security standards are the documents that define the specific and measurable requirements or rules for the implementation and maintenance of the security policies and procedures. Security standards can help to ensure the consistency and the compliance of the security controls and measures across the organization, and to support the security objectives and principles, such as the least privilege and the separation of duties. Specifying the permitted access for each department and job classification combination in the security standards can help to enforce the role-based access control (RBAC) methodology, which assigns the permissions and privileges to the users or the devices based on their roles or functions in the organization. Security procedures, human resource policy, and human resource standards are not the best places to specify the permitted access for each department and job classification combination, as they are related to the steps or actions for the execution or operation of the security controls or measures, the general and strategic guidelines or objectives for the management or administration of the human resources, or the specific and measurable requirements or rules for the implementation and maintenance of the human resource policy, not the role-based access control methodology. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 46. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 61.