This statement is false because ongoing review and testing of policies and procedures should not be limited to occurring only after major incidents. Best practices recommend continuous monitoring and periodic revision as part of an effective security governance framework. This approach ensures that the organization's security posture is proactive and adapts to new threats, technological changes, and shifts in the business landscape. Waiting for a major incident may be too late to address potential gaps or weaknesses that could have been identified and corrected through regular reviews.