An effective information security policy should not have which of the following characteristics?

A.
Include separation of duties.

B.
Be designed with a short-to mid-term focus.

C.
Be understandable and supported by all stakeholders.

D.
Specify areas of responsibility and authority.

Explanation:
This is not a very good practice, specially for the CISSP examination, when you plan
and develop the security policy for your enterprise you should always plan it with a long term
focus. The policy should be created to be there for a long time, and you should only make
revisions of it every certain time to comply with changes or things that could have changed.
In a security policy the duties should be well specified, be understandable by the people involved
in it, and specify areas of responsibility.