Which of the following choice is NOT normally part of the questions that would be asked in regards to an organization’s information security policy?

Which of the following choice is NOT normally part of the questions that would be asked in regards to an organization’s information security policy?
A .  Who is involved in establishing the security policy?
B .  Where is the organization’s security policy defined?
C .  What are the actions that need to be performed in case of a disaster?
D .  Who is responsible for monitoring compliance to the organization’s security policy?

View Answer

Answer: C

Explanation: Actions to be performed in case of a disaster are not normally part of an information security policy but part of a Disaster Recovery Plan (DRP).

Only personnel implicated in the plan should have a copy of the Disaster Recovery Plan whereas everyone should be aware of the contents of the organization’s information security policy. Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 398).