Which of the following statements pertaining to a security policy is NOT true?

A.
Its main purpose is to inform the users, administrators and managers of their obligatory requirements for
protecting technology and information assets.

B.
It specifies how hardware and software should be used throughout the organization.

C.
It needs to have the acceptance and support of all levels of employees within the organization in order for it
to be appropriate and effective.

D.
It must be flexible to the changing environment.

Explanation:
The attributes of a security policy include the following:
Its main purpose is to inform the users, administrators and managers of their obligatory requirements for
protecting technology and information assets.
It needs to have the acceptance and support of all levels of employees within the organization in order for it
to be appropriate and effective.
It must be flexible to the changing environment.
A security policy does not specify how hardware and software should be used throughout the organization. This
is the purpose of an Acceptable Use Policy.
Incorrect Answers:
A: The main purpose of a security policy is to inform the users, administrators and managers of their obligatory
requirements for protecting technology and information assets.
C: A security policy does to have the acceptance and support of all levels of employees within the organization
in order for it to be appropriate and effective.
D: A security policy must be flexible to the changing environment.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 102