CISM Certified Information Security Manager – Question0966 - CISM Certified Information Security Manager

Information security policies should:

A. address corporate network vulnerabilities.
B. address the process for communicating a violation.
C. be straightforward and easy to understand.
D. be customized to specific groups and roles.

Correct Answer: C

Explanation:

Explanation:
As high-level statements, information security policies should be straightforward and easy to understand. They arc high-level and, therefore, do not address network vulnerabilities directly or the process for communicating a violation. As policies, they should provide a uniform message to all groups and user roles.