Which one of the following is NOT a fundamental component of a Regulatory Security Policy?
A.
What is to be done.
B.
When it is to be done.
C.
Who is to do it.
D.
Why is it to be done
Explanation:
Regulatory Security policies are mandated to the organization but it up to them to implement it.
“Regulatory – This policy is written to ensure that the organization is following standards set by a
specific industry and is regulated by law. The policy type is detailed in nature and specific to a type of
industry. This is used in financial institutions, health care facilities, and public utilities.” – Shon Harris
All-in-one CISSP Certification Guide pg 93-94