Check Point Certified Security Principles Associate (CCSPA) (#43)

Which of the following statements about the maintenance and review of information security policies is NOT true?

The review and maintenance of security policies should be tied to the performance evaluations of accountable individuals.
Review requirements should be included in the security policies themselves.
When business requirements change, security policies should be reviewed to confirm that policies reflect the new business requirements.
Functional users and information custodians are ultimately responsible for the accuracy and relevance of information security policies.
In the absence of changes to business requirements and processes, information-security policy reviews should be annual.