Explanation/Reference:
Explanation:
Each person who wants to participate in a PKI requires a digital certificate, which is a credential that contains the public key for that individual along with other identifying information. The certificate is created and signed (digital signature) by a trusted third party, which is a certificate authority (CA). When the CA signs the certificate, it binds the individual's identity to the public key, and the CA takes liability for the authenticity of that individual. It is this trusted third party (the CA) that allows people who have never met to authenticate to each other and to communicate in a secure method. If Kevin has never met Dave but would like to communicate securely with him, and they both trust the same CA, then Kevin could retrieve Dave's digital certificate and start the process.
Incorrect Answers:
A: A digital certificate is not the same as a digital signature proving Integrity and Authenticity of the data. A digital certificate binds a key to an identity.
C: It is not true that you can only get a digital certificate from Verisign, RSA if you wish to prove the key belong to a specific user; you can get a digital certificate from any CA. The CA needs to be trusted however for the certificate to be effective. The CA can be one of many 'public' CAs or it can be part of a private PKI.
D: A digital certificate can contain geography data such as country for example.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 834

A Corporate Security Policy is a high level document that indicates what are
management`s intentions in regard to Information Security within the organization. It is high level
in purpose, it does not give you details about specific products that would be use, specific steps,
etc..
The organization's requirements for access control should be defined and documented in its
security policies. Access rules and rights for each user or group of users should be clearly stated
in an access policy statement. The access control policy should minimally consider:
Statements of general security principles and their applicability to the organization
Security requirements of individual enterprise applications, systems, and services
Consistency between the access control and information classification policies of different systems
and networks
Contractual obligations or regulatory compliance regarding protection of assets
Standards defining user access profiles for organizational roles
Details regarding the management of the access control system
As a Certified Information System Security Professional (CISSP) you would be involved directly in
the drafting and coordination of security policies, standards and supporting guidelines, procedures,
and baselines.
Guidance provided by the CISSP for technical security issues, and emerging threats are
considered for the adoption of new policies. Activities such as interpretation of government
regulations and industry trends and analysis of vendor solutions to include in the security
architecture that advances the security of the organization are performed by the CISSP as well.
The following are incorrect answers:
To transfer the responsibility for the information security to all users of the organization is bogus.
You CANNOT transfer responsibility, you can only tranfer authority. Responsibility will also sit with
upper management. The keyworks ALL and USERS is also an indication that it is the wrong
choice.
To provide detailed steps for performing specific actions is also a bogus detractor. A step by step
document is referred to as a procedure. It details how to accomplish a specific task.
To provide a common framework for all development activities is also an invalid choice. Security
Policies are not restricted only to development activities.
Reference Used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. Kindle Edition.

When outsourcing completely, issues related to skill sets and training are the concerns of the outsourcing partner, and cannot be considered as issues for our own company.