What is the main purpose of Corporate Security Policy?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
A Corporate Security Policy is a high level document that indicates what are management's intentions in regard to Information Security within the organization.It is high level in purpose, it does not give you details about specific products that would be use, specific steps, etc.
The organizations requirements for access control should be defined and documented in its security policies.
Access rules and rights for each user or group of users should be clearly stated in an access policy statement.
The access control policy should minimally consider: Statements of general security principles and their applicability to the organization Security requirements of individual enterprise applications, systems, and services Consistency between the access control and information classification policies of different systems and networks Contractual obligations or regulatory compliance regarding protection of assets Standards defining user access profiles for organizational roles Details regarding the management of the access control system As a Certified Information System Security Professional (CISSP)you would be involved directly in the drafting and coordination of security policies, standards and supporting guidelines, procedures, and baselines.
Guidance provided by the CISSP for technical security issues, and emerging threats are considered for the adoption of new policies.
Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed by the CISSP as well.
The following are incorrect answers: To transfer the responsibility for the information security to all users of the organization is bogus.You CANNOT transfer responsibility, you can only tranfer authority.Responsibility will also sit with upper management.The keyworks ALL and USERS is also an indication that it is the wrong choice.
To provide detailed steps for performing specific actions is also a bogus detractor.A step by step document is referred to as a procedure.It details how to accomplish a specific task.
To provide a common framework for all development activities is also an invalid choice.Security Policies are not restricted only to development activities.
Reference Used for this question: Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1551-1565)
Auerbach Publications.
Kindle Edition.
and Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9109-9112)
Auerbach Publications.
Kindle Edition.
The main purpose of a Corporate Security Policy is to communicate management's intentions and expectations with regards to information security within an organization. A well-written policy provides clear guidance and direction on how information should be handled, protected, and accessed by authorized personnel.
Option A is incorrect because a security policy does not transfer responsibility for information security to all users. Instead, it outlines roles and responsibilities and provides guidance on how to maintain the security of the organization's information.
Option C is also incorrect because a security policy is not intended to provide detailed steps for performing specific actions. Rather, it sets out high-level principles and guidelines for managing information security across the organization.
Option D is also incorrect because a security policy is not focused solely on development activities. It is a broader document that applies to all areas of an organization, including operations, administration, and management.
In summary, the correct answer is B. The main purpose of a Corporate Security Policy is to communicate management's intentions and expectations with regards to information security.