Which statement below is accurate about the difference between issuespecific
and system-specific policies?

A.
Issue-specific policy commonly addresses only one system.

B.
Issue-specific policy is much more technically focused.

C.
System-specific policy is much more technically focused.

D.
System-specific policy is similar to program policy.

Explanation:
Often, managerial computer system security policies are categorized
into three basic types:
Program policy used to create an organization’s computer security
program
Issue-specific policies used to address specific issues of concern
to the organization
System-specific policies technical directives taken by management
to protect a particular system
Program policy and issue-specific policy both address policy from
a broad level, usually encompassing the entire organization. However,
they do not provide sufficient information or direction, for
example, to be used in establishing an access control list or in training
users on what actions are permitted. System-specific policy fills this
need. System-specific policy is much more focused, since it addresses
only one system.
Table A.1 helps illustrate the difference between these three types
of policies. Source: National Institute of Standards and Technology, An
Introduction to Computer Security: The NIST Handbook Special Publication 800-12.