CompTIA CySA+ (CS0-003) — Question 364

Which of the following does a security policy do?

Answer options

• A. Establishes a cost model for security activity
• B. Identifies and clarifies security goals and objectives
• C. Enables management to define system access rules
• D. Allows management to define system recovery requirements

Correct answer: B

Explanation

The correct answer is B because a security policy primarily focuses on identifying and clarifying the security goals and objectives of an organization. Options A, C, and D, while related to security, deal with financial modeling, access rules, and recovery requirements respectively, rather than the foundational purpose of a security policy.