Which one of the following is NOT a fundamental component of a Regulatory Security Policy?
A.
What is to be done.
B.
When it is to be done.
C.
Who is to do it.
D.
Why is it to be done
Explanation:
Regulatory Security policies are mandated to the organization but it up to them to
implement it.
“Regulatory – This policy is written to ensure that the organization is following standards set by a
specific industry and is regulated by law. The policy type is detailed in nature and specific to a
type of industry. This is used in financial institutions, health care facilities, and public utilities.” -Shon Harris All-in-one CISSP Certification Guide pg 93-94
The quote from Ms Harris book does not say that ‘who is to do’ is excluded from Regulatory Laws. The Sarbanes Oxley is full of regulatory directives as to who is to do what..