Which one of the following is NOT a fundamental component of a Regulatory Security Policy?

A.
What is to be done.

B.
When it is to be done.

C.
Who is to do it.

D.
Why is it to be done

Explanation:
Regulatory Security policies are mandated to the organization but it up to them to implement it.
“Regulatory – This policy is written to ensure that the organization is following standards set by a
specific industry and is regulated by law. The policy type is detailed in nature and specific to a type of
industry. This is used in financial institutions, health care facilities, and public utilities.” – Shon Harris
All-in-one CISSP Certification Guide pg 93-94