What is required about security policies and operational procedures for developing and maintaining secure systems and applications?

• A. They must be documented, in use, and known to all affected parties.
• B. They can be informal and shared only within the security team.
• C. They are optional for non-production environments.
• D. They should be reviewed only during annual audits.

Answer: (A)

Formal, documented security policies and operational procedures are essential to guide how systems and applications are developed, deployed, and maintained. They must be written so everyone knows what is required, implemented so the rules are actually followed, and communicated to all affected parties so developers, operators, testers, and managers are aware of and adhere to them. This combination ensures consistent security across the full lifecycle and supports training, accountability, and audits.

If policies are only informal or kept within a single team, other groups won’t follow them, leading to inconsistent security. If policies are treated as optional in non-production environments, risky practices can still slip in where they matter. And if policies are reviewed only during annual audits, they may become outdated as technologies and threats evolve, leaving gaps in protection.