Which statement best reflects malware protection policy?

• A. Security policies and operational procedures for protecting systems against malware are documented and developed by the IT department only.
• B. Malware protection policies can be used as guidelines without formal communication.
• C. Security policies for malware protection must be documented, in use, and known to all affected parties.
• D. Documentation alone suffices for malware protection policies.

Answer: (C)

Malware protection only works if the policy is formal, active, and widely understood. A documented policy provides a clear standard, but it must also be put into practice and communicated to everyone who is affected so they know their roles and how to respond. If the policy is developed by IT alone, it may not reflect real-world operations or duties, and if it exists only as guidelines without formal communication, people won’t know what’s required. Documentation by itself isn’t enough either—you need to ensure the policy is actually used and that all affected parties are aware of it. Therefore, the statement that the malware protection policy must be documented, in use, and known to all affected parties best captures what’s needed for effective protection.