Which choice below is NOT a concern of policy development at the high
level?

A.
Identifying the key business resources

B.
Defining roles in the organization

C.
Determining the capability and functionality of each role

D.
Identifying the type of firewalls to be used for perimeter security

Explanation:
The other options are elements of policy development at the

highest level. Key business resources would have been identified
during the risk assessment process. The various roles are then
defined to determine the various levels of access to those resources.
Answer “Determining the capability and functionality of each role” is the final step in the policy
creation process and combines
steps a and “Defining roles in the organization”. It determines which group gets access to each
resource
and what access privileges its members are assigned. Access to
resources should be based on roles, not on individual identity.
Source: Surviving Security: How to Integrate People, Process, and Technology by Mandy Andress
(Sams Publishing, 2001).