SSCP Information Security Policy Characteristics

Information Security Policy Characteristics

Prev Question Next Question

Question

An effective information security policy should not have which of the following characteristic?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

An effective information security policy should be designed with a long-term focus.

All other characteristics apply.

Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).

An effective information security policy should have all of the following characteristics: include separation of duties, be designed with a short- to mid-term focus, be understandable and supported by all stakeholders, and specify areas of responsibility and authority. Therefore, the correct answer is none of the above.

Let's break down each of the options:

A. Include separation of duties: Separation of duties is a fundamental principle in information security that ensures no single individual has complete control over a process or transaction. It is important to include separation of duties in an information security policy to mitigate the risk of fraud, errors, and misuse of resources.

B. Be designed with a short- to mid-term focus: An information security policy should be designed with a short- to mid-term focus to remain relevant and effective. This means that the policy should be reviewed and updated periodically to reflect changes in the organization's structure, business objectives, and technology landscape.

C. Be understandable and supported by all stakeholders: It is crucial that an information security policy is easily understandable by all stakeholders, including employees, contractors, customers, and partners. This helps to ensure that everyone knows their responsibilities and obligations and is able to comply with the policy. In addition, the policy should be supported by top management to ensure its effectiveness.

D. Specify areas of responsibility and authority: An information security policy should clearly specify the areas of responsibility and authority for all individuals involved in the security of the organization's information assets. This helps to ensure that everyone knows their roles and responsibilities and can be held accountable for their actions.

In conclusion, an effective information security policy should have all of the above characteristics. The correct answer is therefore none of the above.