Which three topics must be described in an IT security policy? (Choose three.)

A.
employees’ work schedules

B.
ownership of systems and responsibilities

C.
password selection criteria and password aging schedules

D.
documentation of user skills to identify potential user threats

E.
backup schedules and expectations of restorations of lost data