Which of the following statements pertaining to a security policy is incorrect?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
A security policy would NOT define how hardware and software should be used throughout the organization.A standard or a procedure would provide such details but not a policy.
A security policy is a formal statement of the rules that people who are given access to anorganization's technology and information assets must abide.
The policy communicates the security goals to all of the users, the administrators, and the managers.
The goals will be largely determined by the following key tradeoffs: services offered versus security provided, ease of use versus security, and cost of security versus risk of loss.
The main purpose of a security policy is to inform the users, the administrators and the managers of their obligatory requirements for protecting technology and information assets.
The policy should specify the mechanisms through which these requirements can be met.Another purpose is to provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy.
In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization.A good security policy must:Be able to be implemented through system administration procedures, publishing of acceptable use guidelines, or other appropriate methodsBe able to be enforced with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasibleClearly define the areas of responsibility for the users, the administrators, and the managersBe communicated to all once it is establishedBe flexible to the changing environment of a computer network since it is a living document Reference(s) used for this question: National Security Agency, Systems and Network Attack Center (SNAC),The 60 Minute Network Security Guide, February 2002, page 7
or A local copy is kept at: https://www.freepracticetests.org/documents/The%2060%20Minute%20Network%20Security%20Guide.pdf.
A security policy is a document that outlines an organization's guidelines, procedures, and standards for safeguarding its technology and information assets. It is designed to inform employees, administrators, and managers of their obligations and responsibilities for protecting the organization's assets from potential threats, such as cyber-attacks, theft, and other forms of malicious activity.
Statement A is accurate. The primary purpose of a security policy is to communicate the mandatory requirements for protecting technology and information assets to the organization's employees, administrators, and managers. It outlines the necessary measures to be taken to ensure the organization's security, including defining roles and responsibilities, setting guidelines and procedures, and specifying the tools and resources required to maintain security.
Statement B is incorrect. A security policy does not typically specify how hardware and software should be used throughout the organization. Instead, it outlines the security protocols and practices that should be followed when using technology and information assets. For instance, it may specify that all employees must use strong passwords, encrypt sensitive data, and regularly update software to mitigate potential security risks.
Statement C is accurate. To be effective, a security policy must have the support and acceptance of all levels of employees within the organization. This ensures that everyone understands their responsibilities and obligations regarding the security of technology and information assets, and that they are committed to implementing the necessary security measures.
Statement D is accurate. A security policy must be flexible to the changing environment to remain effective. Threats to an organization's technology and information assets are constantly evolving, and a security policy must be updated regularly to address new threats and vulnerabilities. It must be reviewed periodically to ensure it remains relevant and effective, and updated as needed to reflect changes in the organization's technology, infrastructure, and security requirements.
In summary, statement B is the incorrect statement pertaining to a security policy. A security policy does not typically specify how hardware and software should be used throughout the organization. Instead, it outlines the security protocols and practices that should be followed when using technology and information assets.