The security policy of an organisation should address: (Choose all that apply.)

Question

BlackTom AI · Accepted Answer

A security policy sets high-level principles: it should include an information classification scheme and a risk management strategy because those establish what is protected, at what level, and how protection priorities are determined.

1) Relevant knowledge points and concepts
- Security policy: a high-level document defining objectives, scope, responsibilities, and governing principles for protecting information assets.  
- Information classification scheme: a formal set of labels (e.g., Public, Internal, Confidential, Restricted) and handling rules that determine confidentiality, integrity and availability requirements.  
- Risk management strategy: the organisation’s approach to identifying, assessing, treating, and accepting risks (risk appetite, assessment frequency, treatment options, and governance).

2) Step-by-step reasoning
- A security policy must declare what information sensitivity levels exist so controls can be applied appropriately — that is exactly the role of an information classification scheme.  
- A policy must also state how the organisation will address threats and vulnerabilities at a programmatic level — that is the risk management strategy.  
- Both elements are strategic, cross-cutting, and belong at policy level rather than in operational documents.

3) Calculations / intermediate steps
- No numeric calculations apply. Logical decomposition: policy (high-level) -> classification (defines labels & handling) + risk strategy (defines decision-making and priorities) -> operational controls follow.

4) Why the correct answers are correct
- Information classification provides the basis for assigning controls and access restrictions, so it is fundamental to policy.  
- Risk management strategy defines how risks are assessed and treated across the organisation; without it, policy lacks direction for prioritization and governance.

5) Why other kinds of options would be incorrect
- Detailed procedures, exact technical configurations (e.g., specific firewall rules, encryption algorithms), or daily operational tasks are not appropriate for a policy—they belong in standards, procedures or guidelines. Policies are purposeful high-level directives.

6) Conclusion
The correct choices are Information classification scheme and Risk management strategy, which matches the provided answer.

The security policy of an organisation should address: (Choose all that apply.)Multiple choice

Similar Questions

Why are unintentional insiders considered a security risk?

Which factor is most likely to contribute to unintentional non-compliance with security procedures?

Which of the following describes the precise definition of Cybersecurity?

What would the BEST plan of action be on receiving an e-mail message warning that a virus may have accidentally been sent in the past, and suggesting that the user delete a specific file if it appears on the their computer?

What is the most significant challenge to information security, according to class discussions?

Question at position 16 True or False: Following recognised cybersecurity frameworks helps organisations comply with industry regulations.TrueFalse

Which of the following statements about passwords is not true?

More Practical Tools for Students Powered by AI Study Helper

Homework AI Solver

Stylized AI Paper Writer

Plagiarism Checker Assistant

Citation AI Academic Writing Tool

In-Class Translation Assistant

AI Note Generator

AI Quiz Answers

Past Exam Questions from University Test Bank

Smart Practice Assistant

Adaptive Practice

Making Your Study Simpler