Well-written security program policies should be reviewed:

A.
At least annually

B.
After major project implementations

C.
When applications or operating systems are updated

D.
When procedures need to be modified

Explanation:
A: Policies should survive two or three years even though they should be reviewed and approved at least annually. Page 413.