nerdexam
(ISC)2

CISSP-ISSEP · Question #117

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a

The correct answer is A. What is being secured B. Who is expected to comply with the policy C. Where is the vulnerability, threat, or risk. A well-designed security policy must define what assets are being protected (A), who is obligated to follow it (B), and what vulnerabilities, threats, or risks the policy addresses (C) - these three components give the policy scope, accountability, and purpose. Without all three,

Governance and Training

Question

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.

Options

  • AWhat is being secured
  • BWho is expected to comply with the policy
  • CWhere is the vulnerability, threat, or risk
  • DWho is expected to exploit the vulnerability

How the community answered

(55 responses)
  • A
    89% (49)
  • D
    11% (6)

Explanation

A well-designed security policy must define what assets are being protected (A), who is obligated to follow it (B), and what vulnerabilities, threats, or risks the policy addresses (C) - these three components give the policy scope, accountability, and purpose. Without all three, the policy lacks the clarity needed to be enforceable or actionable across the organization.

Option D is wrong because a security policy is a defensive, governance document - it is never the role of a policy to identify who will attack the organization. That concern belongs in threat modeling or risk assessments, not the policy itself.

Memory tip: Think of A, B, C as the "What, Who, Why" of policy writing - What is protected, Who must comply, and Why it matters (the risk landscape). If an answer choice puts the attacker in the policy's scope, it's always a distractor.

Topics

#Security Policy#Policy Design#Security Governance#Risk Management

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice