Which choice below is NOT an example of an issue-specific policy?

A.
Virus-checking disk policy

B.
Defined router ACLs

C.
Unfriendly employee termination policy

D.
E-mail privacy policy

Explanation:
Answer c is an example of a system-specific policy, in this case the router’s access control lists. The
other three answers are examples of issue-specific policy, as defined by NIST. Issue-specific policies
are similar to program policies, in that they are not technically focused. While program policy is
traditionally more general and strategic (the organization’s computer security program, for
example), issue-specific policy is a nontechnical policy addressing a single or specific issue of concern
to the organization, such as the procedural guidelines for checking disks brought to work or e-mail

privacy concerns. System-specific policy is technically focused and addresses only one computer
system or device type. Source: National Institute of Standards and Technology, An Introduction to
Computer Security: The NIST Handbook Special Publication 800-12.