(ISC)2 Certified in Cybersecurity Practice Exam

The scenario presented clearly illustrates the establishment of a rule by a city council to penalize malware creation, categorizing it as a law. Laws are typically implemented by governing bodies and are enforced through a legal system. They dictate prescribed behaviors and consequences for violations, thereby providing a framework within which society operates. In this case, the law addresses the issue of malware creation, setting forth penalties to deter individuals or entities from engaging in such harmful activities.

Policies, procedures, and standards serve different purposes in an organization or system. Policies outline the guiding principles regarding acceptable behavior or conduct, while procedures provide specific steps to accomplish a task or process. Standards, on the other hand, denote specific requirements that must be met to ensure consistency and quality. Unlike laws, these elements are generally internal to organizations, lacking the legal enforcement that comes with laws enacted by governmental entities. Hence, penalties imposed by a city council for malware creation are driven by legal authority, making it a clear instance of law rather than any of the other categories.