Which one of the following is NOT a fundamental component of a Regulatory Security Policy?
A.
What is to be done.
B.
When it is to be done.
C.
Who is to do it.
D.
Why is it to be done
Explanation:
Regulatory Security policies are mandated to the organization but it up to them to
implement it.
“Regulatory – This policy is written to ensure that the organization is following standards set by a
specific industry and is regulated by law. The policy type is detailed in nature and specific to a
type of industry. This is used in financial institutions, health care facilities, and public utilities.” -Shon Harris All-in-one CISSP Certification Guide pg 93-94