When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
It will be much more efficient to craft all relevant requirements into policies than to create separate versions.
Using statements provided by regulators will not capture all of the requirements mandated by different regulators.
A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.
When developing information security policies, it is important to consider the legal and regulatory issues affecting the organization. This can help ensure that the policies meet the required standards and help the organization comply with relevant regulations.
Option A suggests creating separate policies to address each regulation. While this approach may ensure compliance with each regulation, it can result in a complex and confusing policy framework, making it difficult for employees to understand and comply with the policies.
Option B suggests developing policies that meet all mandated requirements. This approach can be effective in ensuring compliance with all relevant regulations, but it may result in policies that are generic and not tailored to the organization's specific needs and risks.
Option C suggests incorporating policy statements provided by regulators. While this approach can ensure that the policies align with regulatory requirements, it may not fully address the organization's unique risks and requirements.
Option D suggests developing a compliance risk assessment. This approach involves identifying the legal and regulatory requirements that apply to the organization and evaluating the risks associated with non-compliance. Based on the assessment, policies can be developed that address the organization's specific risks and requirements while also ensuring compliance with relevant regulations.
In summary, the BEST approach to developing information security policies is to conduct a compliance risk assessment. This approach can help ensure that policies are tailored to the organization's specific needs and risks while also meeting relevant legal and regulatory requirements.