An effective information security policy should NOT have which of the following characteristic?

A.
Include separation of duties

B.
Be designed with a short- to mid-term focus

C.
Be understandable and supported by all stakeholders

D.
Specify areas of responsibility and authority

Explanation:
Explanation/Reference:
An information security policy should not be designed with a short to mid-term focus. It should be created with
the intention of having the policies in place for several years at a time. This will help ensure policies are
forward-thinking enough to deal with potential changes that may arise. It should also be reviewed and modified
as a company changes, such as through adoption of a new business model, a merger with another company,
or change of ownership.
Incorrect Answers:
A: An information security policy should include separation of duties.
C: An information security policy should be understandable and supported by all stakeholders.
D: An information security policy should specify areas of responsibility and authority.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 102