When identifying legal and regulatory issues affecting information security, which of the following
would represent the BEST approach to developing information security policies?

A.
Create separate policies to address each regulation

B.
Develop policies that meet all mandated requirements

C.
Incorporate policy statements provided by regulators

D.
Develop a compliance risk assessment

Explanation:

It will be much more efficient to craft all relevant requirements into policies than to create separate
versions. Using statements provided by regulators will not capture all of the requirements
mandated by different regulators. A compliance risk assessment is an important tool to verify that
procedures ensure compliance once the policies have been established.