Which of the following should be included in an organization’s IS security policy?

A.
A list of key IT resources to be secured

B.
The basis for access authorization

C.
Identity of sensitive security features

D.
Relevant software security features

Explanation:
The security policy provides the broad framework of security, as laid down and approved by senior
management. It includes a definition of those authorized to grant access and the basis for granting the access.
Choices A, B and C are more detailed than that which should be included in a policy.