What is a security policy?

A.
High level statements on management’s expectations that must be met in regards to security

B.
A policy that defines authentication to the network.

C.
A policy that focuses on ensuring a secure posture and expresses management approval. It explains in
detail how to implement the requirements.

D.
A statement that focuses on the authorization process for a system

Explanation:
A security policy is an overall general statement produced by senior management (or a selected policy board or
committee) that dictates what role security plays within the organization.
Fundamentally important to any security program’s success is the senior management’s high-level statement of
commitment to the information security policy process, and a senior management’s understanding of how
important security controls and protections are to the enterprise’s continuity. Senior management must be
aware of the importance of security implementation to preserve the organization’s viability (and for their own
“Due Care” protection), and must publicly support that process throughout the enterprise.
Incorrect Answers:
B: A security policy is not policy that defines authentication to the network. A security policy is not that specific.
C: A security policy does not explain in detail how to implement the requirements; it is a high-level statement.
D: A security policy is not a statement that focuses on the authorization process for a system. A security policy
is not that specific.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 102
Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley
Publishing, Indianapolis, 2007, p. 21