Answer:
The statement is: False.
Step-by-step explanation:
Policies and standards of data protection are set within a company to reduce the risk of being exposed to internal and external threats that could harm the firm's operations. While establishing those guidelines, it is important to recognize where, when, and how the threat is caused and the steps of actions necessary to defend and counterattack the threat.
In the example, if an organization orders the use of a firewall to limit the activities of internal users the question to be addressed must be related to where, when, or how the protection can be achieved. What, who, and why questions are useful to provide additional details on the measures taken.