The CISO is revising the enterprise’s risk policy. Which element must be clearly included?