Which choice below is NOT a concern of policy development at the high level?

A.
Identifying the key business resources

B.
Defining roles in the organization

C.
Determining the capability and functionality of each role

D.
Identifying the type of firewalls to be used for perimeter security

Explanation:

The other options are elements of policy development at the highest level. Key business resources
would have been identified during the risk assessment process. The various roles are then defined to
determine the various levels of access to those resources. Answer “Determining the capability and
functionality of each role” is the final step in the policy creation process and combines steps a and
“Defining roles in the organization”. It determines which group gets access to each resource and
what access privileges its members are assigned. Access to resources should be based on roles, not
on individual identity. Source: Surviving Security: How to Integrate People, Process, and Technology
by Mandy Andress (Sams Publishing, 2001).