The preliminary steps to security planning include all of the following EXCEPT which of the following?

A.
Establish objectives.

B.
List planning assumptions.

C.
Establish a security audit function.

D.
Determine alternate courses of action

Explanation:
A security policy is an overall general statement produced by senior management (or a selected policy board or
committee) that dictates what role security plays within the organization. A security policy can be an
organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy,
management establishes how a security program will be set up, lays out the program’s goals, assigns
responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be
carried out.
Security planning should include establishing objectives, listing assumptions and determining alternate courses
of action.
Security planning does not include establishing a security audit function. Auditing security is performed to
ensure that the security measures implemented as described in the security plan are effective.
Incorrect Answers:
A: Security planning should include establishing objectives.B: Security planning should include listing assumptions.
D: Security planning should include determining alternate courses of action.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 102