The objectives of the business and also the size of the business can impact the security policy framework. Answer the following questions:

 

 

What can happen if the security team chooses a framework as a foundation that does not fit the business objectives? List 4 things that can happen if the framework and objectives are not aligned.

 

How are organizations of varying sizes–small, medium, and large–impacted by the lack of a policy framework?

 

Is there an organization small enough that it can safely avoid a formal security policy framework? Or do even micro organizations (>10 employees) require some sort of structured security policies?