CompTIA CASP+ Practice Test

What is a key recommendation the IT Director should present regarding security policy writing?

• A. Allow vendors to lead the process.
• B. Consult legal and regulatory requirements.
• C. Outsource policy creation to a security firm.
• D. Prioritize vendor relationships over compliance.

The correct answer is: Consult legal and regulatory requirements.

Consulting legal and regulatory requirements is a crucial recommendation when writing security policies because these requirements govern how organizations must handle data, privacy, and security practices. By aligning the security policies with applicable laws and regulations, the IT Director can ensure that the organization not only protects its assets and data effectively but also remains compliant with legal obligations. This helps mitigate legal risks and can prevent costly penalties or lawsuits that might arise from non-compliance. In addition, understanding these legal frameworks contributes to creating a comprehensive security posture that addresses issues related to data breaches, incident responses, and overall risk management. This approach not only safeguards the company's interests but also builds trust with customers and stakeholders, establishing the organization as a responsible entity in managing sensitive information. Other options, such as allowing vendors to lead the process or outsourcing policy creation, could result in a policy that may not adequately reflect the unique needs and context of the organization. Prioritizing vendor relationships over compliance undermines the very purpose of having security policies in place, which is to ensure the organization operates within a secure and regulatory-compliant framework.