Information security policies should:

A.
address corporate network vulnerabilities.

B.
address the process for communicating a violation.

C.
be straightforward and easy to understand.

D.
be customized to specific groups and roles.

Explanation:

As high-level statements, information security policies should be straightforward and easy to
understand. They arc high-level and, therefore, do not address network vulnerabilities directly or
the process for communicating a violation. As policies, they should provide a uniform message to
all groups and user roles.