Which of the following is true about information security policy?
A) It should be written after a company has encountered an incident
B) It may conflict with the law
C) End users should not be involved in the creation of the policy
D) It must be able to stand up in court, if challenged

Question

Quizplus · Accepted Answer

An information security policy must be able to stand up in court, if challenged. This means that it must be clearly expressed, enforceable, and not conflict with any laws, regulations or other legal obligations.

Therefore, only option D is true about information security policy. Option A is incorrect because an information security policy should be written before an incident occurs. Option B is incorrect because an information security policy should not conflict with the law. Option C is incorrect because end users should be involved in the creation of the policy to ensure that it is understood and followed by everyone in the organization.

Which of the Following Is True About Information Security Policy