You have been hired by a startup as their first IT Security team member. To your surprise they have no security or compliance policies documented. The first policy you aim to create would ensure that access to company systems and data is based on an individual's job function. What option best describes this policy?
|Attacks, Threats, and Vulnerabilities|
|Architecture and Design|
|Operations and Incident Response|
|Governance, Risk, and Compliance|