Which statement below is accurate about the difference between issuespecific and system-specific
policies?
A.
Issue-specific policy commonly addresses only one system.
B.
Issue-specific policy is much more technically focused.
C.
System-specific policy is much more technically focused.
D.
System-specific policy is similar to program policy.
Explanation:
Often, managerial computer system security policies are categorized into three basic types: Program
policy used to create an organization’s computer security program Issue-specific policies used to
address specific issues of concern to the organization System-specific policies technical directives
taken by management to protect a particular system Program policy and issue-specific policy both
address policy from a broad level, usually encompassing the entire organization. However, they do
not provide sufficient information or direction, for example, to be used in establishing an access
control list or in training users on what actions are permitted. System-specific policy fills this need.
System-specific policy is much more focused, since it addresses only one system. Table A.1 helps
illustrate the difference between these three types of policies. Source: National Institute of
Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special
Publication 800-12.