Which choice below is NOT an accurate description of an information policy?
A.
Information policy is senior management’s directive to create a computer security program.
B.
Information policy is a documentation of computer security decisions.
C.
An information policy could be a decision pertaining to use of the organization’s fax.
D.
Information policies are created after the system’s infrastructure has been designed and built.
Explanation:
Computer security policy is often defined as the documentation of computer security decisions. The
term policy has more than one meaning. Policy is senior management’s directives to create a
computer security program, establish its goals, and assign responsibilities. The term policy is also
used to refer to the specific security rules for particular systems. Additionally, policy may refer to
entirely different matters, such as the specific managerial decisions setting an organization’s e-mail
privacy policy or fax security policy. A security policy is an important document to develop whiledesigning an information system, early in the System Development Life Cycle (SDLC). The security
policy begins with the organization’s basic commitment to information security formulated as a
general policy statement. The policy is then applied to all aspects of the system design or security
solution. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology
Security (A Baseline for Achieving Security).