Which of the following questions should any user not be able to answer regarding their
organization information security policy?
A.
Who is involved in establishing the security policy?
B.
Where is the organization security policy defined?
C.
What are the actions that need to be performed in case of a disaster?
D.
Who is responsible for monitoring compliance to the organization security policy?
Explanation:
According to CISSP documentation, the actual definition and procedures defined
inside an organization disaster recovery policy are of private nature. Only people working in the
company and with a role inside it should know about those procedures. Its not a good practice to
be divulgating Disaster recovery procedures to external people. Many times external people need
to know who is involved in it, and who is responsible. This could be the case of a vendor providing
replacement equipment in case of disaster.
Answer & explanation have no relevance to the question, which is about a ‘user’. A user would be an employee of the company. The company president is also a ‘user’. The answer rambles on about ‘external people’ which is not in the question..
0
0