The British Standard 7799/ISO Standard 17799 discusses cryptographic policies. It states, An
organization should develop a policy on its use of cryptographic controls for protection of its
information . . . . When developing a policy, the following should be considered: (Which of the
following items would most likely NOT be listed?)

A.
The approach to key management, including methods to deal with the recovery of encrypted
information in the case of lost, compromised or damaged keys

B.
Roles and responsibilities

C.
The management approach toward the use of cryptographic controls across the organization

D.
The encryption schemes to be used

Explanation:
A policy is a general statement of management’s intent, and therefore, a policy would not specify
the encryption scheme to be used. The other answers are appropriate for a cryptographic policy. The
general standards document is BSI ISO/IEC 17799:2000,BS 7799- I: 2000, Information technology-

Code of practice for information security management, British Standards Institution, London , UK .
The standard is intended to provide a comprehensive set of controls comprising best practices in
information security. ISO refers to the International Organization for Standardization and IEC is the
International Electrotechnical Commission. These two entities form the system for worldwide
standardization. The main chapter headings of the standard are: Security Policy Organizational
Security Asset Classification and Control Personnel Security Physical and Environmental Security
Communications and Operations Management Access Control Systems Development and
Maintenance Business Continuity Management Compliance