312-50V11 · Question #690
Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they b
The correct answer is B. Information Security Policy (ISP). A formal written document that defines acceptable use of company systems, prohibited activities, and disciplinary consequences for employees is called an Information Security Policy (ISP).
Question
Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called?
Options
- AInformation Audit Policy (IAP)
- BInformation Security Policy (ISP)
- CPenetration Testing Policy (PTP)
- DCompany Compliance Policy (CCP)
How the community answered
(51 responses)- A2% (1)
- B94% (48)
- C4% (2)
Why each option
A formal written document that defines acceptable use of company systems, prohibited activities, and disciplinary consequences for employees is called an Information Security Policy (ISP).
An 'Information Audit Policy' is not a recognized standard document type; audits involve reviewing existing compliance, not defining acceptable use rules for new employees.
The Information Security Policy (ISP) is the standard term for a formal document that communicates to employees what is permissible, what is forbidden, and the consequences of violations on company systems. It is distributed upon onboarding and requires a signed acknowledgment before system access is granted. The signed copy creates a legal and administrative record of the employee's agreement to the terms.
A Penetration Testing Policy governs the scope and authorization of security testing engagements, not general employee computer use agreements.
'Company Compliance Policy' is not a standard recognized term for the employee acceptable-use agreement described in the question.
Concept tested: Information Security Policy employee acceptable use
Source: https://www.nist.gov/cyberframework
Topics
Community Discussion
No community discussion yet for this question.