Choice "C" is correct. Program-level policy describes information security and assigns responsibility for achievement of security objectives to the IT department.
Choice "a" is incorrect. A program-framework policy adds detail to the IT program by describing the elements and organization of the program and department that will carry out the security mission.
Choice "d" is incorrect. Issue-specific policy addresses specific issues of concern to the organization.
Choice "b" is incorrect. System-specific policy focuses on policy issues that management has decided for a specific system.
