Which of the following questions should any user not be able to answer regarding their organization
information security policy?
A.
Who is involved in establishing the security policy?
B.
Where is the organization security policy defined?
C.
What are the actions that need to be performed in case of a disaster?
D.
Who is responsible for monitoring compliance to the organization security policy?
Explanation:
According to CISSP documentation, the actual definition and procedures defined inside an
organization disaster recovery policy are of private nature. Only people working in the company and
with a role inside it should know about those procedures. Its not a good practice to be divulgating
Disaster recovery procedures to external people. Many times external people need to know who is
involved in it, and who is responsible. This could be the case of a vendor providing replacement
equipment in case of disaster.