An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
A. updated frequently.
B. developed by process owners.
C. based on industry standards.
D. well understood by all employees.
A. updated frequently.
B. developed by process owners.
C. based on industry standards.
D. well understood by all employees.