Well-written security program policies should be reviewed:
A.
At least annually
B.
After major project implementations
C.
When applications or operating systems are updated
D.
When procedures need to be modified
Explanation:
A: Policies should survive two or three years even though they should be reviewed and approved at least annually. Page 413.