An effective information security policy should not have which of the following characteristics?

A.
Include separation of duties.

B.
Be designed with a short-to mid-term focus.

C.
Be understandable and supported by all stakeholders.

D.
Specify areas of responsibility and authority.

Explanation:
This is not a very good practice, specially for the CISSP examination, when you plan and develop the
security policy for your enterprise you should always plan it with a long term focus. The policy should
be created to be there for a long time, and you should only make revisions of it every certain time to
comply with changes or things that could have changed. In a security policy the duties should be well
specified, be understandable by the people involved in it, and specify areas of responsibility.