An enterprise information security policy (EISP) is a management-level document that details the organization’s philosophy, objectives, and expectations regarding information security. It sets the direction, scope, and tone for all security efforts and provides a framework for developing and implementing security programs and controls. According to the web search results from the search_web tool, some of the key elements of an EISP are:
A statement of the organization’s security vision, mission, and principles that align with its business goals and values123.
A definition of the organizational structure and accountabilities for oversight, governance, and management of information security, including roles and responsibilities of senior executives, security officers, business units, and users123 .
A specification of the legal and regulatory compliance requirements and obligations that the organization must adhere to, such as data protection, privacy, and breach notification laws123 .
A description of the scope and applicability of the EISP, including the types of information, systems, and assets that are covered, and the exclusions or exceptions that may apply123 .
A declaration of the effective date and date of last review by management, as well as the frequency and criteria for reviewing and updating the EISP to ensure its relevance and adequacy123 .
A statement of the organization’s risk appetite and tolerance, and the process for identifying, assessing, and treating information security risks123 .
A provision of the authority and responsibility for implementing, enforcing, monitoring, and auditing the EISP and its related policies, standards, procedures, and guidelines123 .
A determination of the access control policy and the rules for granting, revoking, and reviewing access rights and privileges to information, systems, and assets123 .
An organization of the EISP based on an accepted control framework, such as ISO 27001, NIST SP 800-53, or COBIT, that defines the security domains, objectives, and controls that the organization must implement and maintain123 .
However, option C, a statement that security policies should be changed on an annual basis due to technology changes, is not an accurate reflection of an organization’s requirements within an EISP. While technology changes may affect the security environment and the threats and vulnerabilities that the organization faces, they are not the only factor that determines the need for changing security policies. Other factors, such as business changes, legal changes, risk changes, audit findings, incident reports, and best practices, may also trigger the need for reviewing and updating security policies. Therefore, option C is the correct answer, as it is the only one that does not reflect an organization’s requirements within an EISP. References: The following resources support the verified answer and explanation:
1: What Is The Purpose Of An Enterprise Information Security Policy?
2: Enterprise Information Security Policies and Standards
3: Key Elements Of An Enterprise Information Security Policy
: Enterprise Information Security Policy (EISP) - SANS
