312-50V10 · Question #690
Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they b
The correct answer is B. Information Security Policy (ISP). An Information Security Policy (ISP) is the formal organizational document that defines acceptable system use, prohibited behavior, and disciplinary consequences, and must be signed by every employee before access is granted.
Question
Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called?
Options
- AInformation Audit Policy (IAP)
- BInformation Security Policy (ISP)
- CPenetration Testing Policy (PTP)
- DCompany Compliance Policy (CCP)
How the community answered
(25 responses)- A4% (1)
- B88% (22)
- C8% (2)
Why each option
An Information Security Policy (ISP) is the formal organizational document that defines acceptable system use, prohibited behavior, and disciplinary consequences, and must be signed by every employee before access is granted.
Information Audit Policy is not a recognized standard document type for employee acceptable use rules; audit policies govern how systems and data are reviewed for compliance, not the behavioral rules imposed on all staff.
The Information Security Policy is the governing document that establishes the rules all employees must follow when using organizational computing resources, specifying what is permitted, what is prohibited, and the consequences for violations. Requiring each employee to sign a copy before receiving system access creates a legally binding acknowledgment of their security obligations and provides the organization with an auditable record of acceptance.
A Penetration Testing Policy defines the scope, rules of engagement, and authorization boundaries for security testers conducting assessments, not the general acceptable use rules applicable to every employee.
A Company Compliance Policy broadly addresses adherence to regulatory and legal frameworks rather than serving as the specific employee-facing acceptable use and security conduct document described in the question.
Concept tested: Information Security Policy employee acknowledgment and scope
Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Topics
Community Discussion
No community discussion yet for this question.