An effective information security policy should NOT have which of the following characteristic?
A.
Include separation of duties
B.
Be designed with a short- to mid-term focus
C.
Be understandable and supported by all stakeholders
D.
Specify areas of responsibility and authority
Explanation:
An information security policy should not be designed with a short to mid-term focus. It should be created with
the intention of having the policies in place for several years at a time. This will help ensure policies are
forward-thinking enough to deal with potential changes that may arise. It should also be reviewed and modified
as a company changes, such as through adoption of a new business model, a merger with another company,
or change of ownership.
Incorrect Answers:
A: An information security policy should include separation of duties.
C: An information security policy should be understandable and supported by all stakeholders.
D: An information security policy should specify areas of responsibility and authority.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 102