What must be true about security policies and procedures for identification and authentication?

• A. Policies and procedures must be documented, in use, and known to all affected parties.
• B. Policies and procedures are optional for some teams.
• C. Policies should be informal and unwritten.
• D. Policies apply only to some systems.

Answer: (A)

Security policies and procedures for identification and authentication must be formalized, implemented, and communicated to everyone who is affected. Having a written policy establishes the rules for verifying who users are, how authentication is performed (such as passwords, multi-factor methods, or tokens), and how access is granted, managed, and revoked. When these policies are documented and actually used, staff know what is expected, system owners apply consistent controls, and there is a clear, auditable record for compliance. If policies are informal, optional, or only apply to some systems, important gaps appear: inconsistent practices, higher risk of unauthorized access, and difficulties proving compliance during audits. This is why the best answer emphasizes that policies and procedures must be documented, in use, and known to all affected parties.