Which of the following provides the BEST explanation regarding why an organization needs to implement
IT security policies?
A.
To ensure that false positives are identified
B.
To ensure that staff conform to the policy
C.
To reduce the organizational risk
D.
To require acceptable usage of IT systems
Explanation:
Once risks has been identified and assessed then there are five possible actions that should be taken.
These are: Risk avoidance, Risk transference, Risk mitigation, Risk deterrence and Risk acceptance.
Anytime you engage in steps to reduce risk, you are busy with risk mitigation and implementing IT
security policy is a risk mitigation strategy.
Incorrect Answers:
A: False positives are events that are not really incidents. Thus to ensure that false positives are identified
is not the main concern of implementing IT security policy.
B: Conforming to policy is only possible if policy is in place.
D: Acceptable use policy I concerned mainly with how a company allows their computers to b eused
within the company.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 9-10, 28