CISSP-ISSEP · Question #117
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a
The correct answer is A. What is being secured B. Who is expected to comply with the policy C. Where is the vulnerability, threat, or risk. A well-designed security policy must define what assets are being protected (A), who is obligated to follow it (B), and what vulnerabilities, threats, or risks the policy addresses (C) - these three components give the policy scope, accountability, and purpose. Without all three,
Question
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.
Options
- AWhat is being secured
- BWho is expected to comply with the policy
- CWhere is the vulnerability, threat, or risk
- DWho is expected to exploit the vulnerability
How the community answered
(55 responses)- A89% (49)
- D11% (6)
Explanation
A well-designed security policy must define what assets are being protected (A), who is obligated to follow it (B), and what vulnerabilities, threats, or risks the policy addresses (C) - these three components give the policy scope, accountability, and purpose. Without all three, the policy lacks the clarity needed to be enforceable or actionable across the organization.
Option D is wrong because a security policy is a defensive, governance document - it is never the role of a policy to identify who will attack the organization. That concern belongs in threat modeling or risk assessments, not the policy itself.
Memory tip: Think of A, B, C as the "What, Who, Why" of policy writing - What is protected, Who must comply, and Why it matters (the risk landscape). If an answer choice puts the attacker in the policy's scope, it's always a distractor.
Topics
Community Discussion
No community discussion yet for this question.