As per book answer is A

A doesn't even remotely mention insurance policy. its just identifying security funds to hedge risk. identify security funds isnt even related to computer risk policy

LETTER C.

Definitely the answer here is A. If you even look at the all answers without reading the question, A sticks out like it doesn't belong there.

This is letter A for me. A. Procedure to identify security funds to hedge risk - This is more on financial/business side. Security doesn't really govern them. B. Procedure to monitor the efficiency of security controls - Related to risks C. Procedure for the ongoing training of employees authorized to access the system - by providing ongoing training for employees authorized to access the system, you are teaching them what to do and what not to do. This lowers the risk of those users being part/triggering an incident. D. Provisions for continuing support if there is an interruption in the system or if the system crashes - related to availability

I think the key is the word "computer" because it is not about human risks.

Correct answer is C. Read the wording of question, it is asking about Risk and how do you hedge a risk, by taking insurance policy. So A is not the answer.

I think also the answer is A as budgeting is not part of the risk policy and security awareness training for employees accesing the coorporate computers and networks is very important to narrow the possibilities of human error or fall victim of cyber security scams

I think the answer is letter A