What is the primary purpose of a security policy in an organization?
Think about what a security policy aims to achieve at a high level.
A security policy sets the rules and guidelines to protect the organization's information and assets. It is not about technical details or unrelated business areas.
Which of the following is NOT typically a component of a security policy?
Consider what information is relevant to security policies.
Employee salary details are confidential HR information and not part of security policies. Security policies focus on rules for access, use, and incident handling.
Which challenge is most likely to reduce the effectiveness of a security policy?
Consider how policies are applied in real organizations.
Think about what happens if employees cannot easily follow the rules.
If policies are too complex, employees may ignore or misunderstand them, reducing their effectiveness. Clear, simple policies help ensure compliance.
Which statement correctly compares mandatory and discretionary access control policies?
Think about who controls access in each policy type.
Mandatory access control uses fixed rules set by the system or organization. Discretionary access control lets resource owners decide who can access their resources.
An organization updates its security policy only once every five years. What is the most likely risk of this approach?
Consider how fast technology and threats change.
Security threats evolve quickly. Updating policies infrequently risks missing new threats and vulnerabilities, reducing protection.