Which one of the following is an important characteristic of an information security policy?

A. Identifies major functional areas of information.
B. Quantifies the effect of the loss of the information.
C. Requires the identification of information owners.
D. Lists applications that support the business function.

Answer is A.

However, in the Official Guide, A B and D are all listed as Risk Analysis task, so I thought it must be C...

Damn tough question. And... you make it tougher when you bring in the notion of Risk Analysis. There is nothing IN the question about Risk Analysis, but since you found some of the answers listed in that section in the guide, now RA is in your mind and you are applying that to a question about a Security Policy.

B. there is no quantification of loss in a security policy.

C. Certainly there could be mention of information owners, but the IS policy is not really the place to DEFINE or ID Info owners. For example, I am identified in the security policy as the owner of some informaion on the network and I leave the company, the policy needs to be re-written.

D. A policy isn't going to LIST the applications, it may discuss how and how not to "use" the applications.

We are ALWAYS looking for the best or sometimes "BETTER" answer. So I gotta stick with "A" as the "BETTER" answer. Also, the fact that you found "A" under RA, does NOT mean it can't be part of the Security Policy.

Good example of how important it is to 1) really read the question carefully, and 2) really understand what the question is asking.