The security policy of an organisation should address: (Choose all that apply.)

Question

BlackTom AI · Accepted Answer

A security policy sets high-level principles: it should include an information classification scheme and a risk management strategy because those establish what is protected, at what level, and how protection priorities are determined.

1) Relevant knowledge points and concepts
- Security policy: a high-level document defining objectives, scope, responsibilities, and governing principles for protecting information assets.  
- Information classification scheme: a formal set of labels (e.g., Public, Internal, Confidential, Restricted) and handling rules that determine confidentiality, integrity and availability requirements.  
- Risk management strategy: the organisation’s approach to identifying, assessing, treating, and accepting risks (risk appetite, assessment frequency, treatment options, and governance).

2) Step-by-step reasoning
- A security policy must declare what information sensitivity levels exist so controls can be applied appropriately — that is exactly the role of an information classification scheme.  
- A policy must also state how the organisation will address threats and vulnerabilities at a programmatic level — that is the risk management strategy.  
- Both elements are strategic, cross-cutting, and belong at policy level rather than in operational documents.

3) Calculations / intermediate steps
- No numeric calculations apply. Logical decomposition: policy (high-level) -> classification (defines labels & handling) + risk strategy (defines decision-making and priorities) -> operational controls follow.

4) Why the correct answers are correct
- Information classification provides the basis for assigning controls and access restrictions, so it is fundamental to policy.  
- Risk management strategy defines how risks are assessed and treated across the organisation; without it, policy lacks direction for prioritization and governance.

5) Why other kinds of options would be incorrect
- Detailed procedures, exact technical configurations (e.g., specific firewall rules, encryption algorithms), or daily operational tasks are not appropriate for a policy—they belong in standards, procedures or guidelines. Policies are purposeful high-level directives.

6) Conclusion
The correct choices are Information classification scheme and Risk management strategy, which matches the provided answer.

The security policy of an organisation should address: (Choose all that apply.)多项选择题

类似问题

Why are unintentional insiders considered a security risk?

Which factor is most likely to contribute to unintentional non-compliance with security procedures?

Which of the following describes the precise definition of Cybersecurity?

What would the BEST plan of action be on receiving an e-mail message warning that a virus may have accidentally been sent in the past, and suggesting that the user delete a specific file if it appears on the their computer?

What is the most significant challenge to information security, according to class discussions?

Question at position 16 True or False: Following recognised cybersecurity frameworks helps organisations comply with industry regulations.TrueFalse

Which of the following statements about passwords is not true?

更多留学生实用工具

智能学习助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单