Information security policies should:
A.
address corporate network vulnerabilities.
B.
address the process for communicating a violation.
C.
be straightforward and easy to understand.
D.
be customized to specific groups and roles.
Explanation:
As high-level statements, information security policies should be straightforward and easy to
understand. They arc high-level and, therefore, do not address network vulnerabilities directly or
the process for communicating a violation. As policies, they should provide a uniform message to
all groups and user roles.