Which procedure is NOT part of a computer risk policy?

Ongoing employee training plays a crucial role in an organization's overall security posture, but it is typically considered a broader aspect of risk management and security awareness rather than a specific component of a formal computer risk policy. A computer risk policy generally outlines the specific risk management strategies and measures in place to protect the organization's information systems and data from various threats.

Incident reporting procedures, access control measures, and system monitoring policies are all integral parts of a computer risk policy. Incident reporting procedures ensure that any security incidents are documented and addressed promptly, access control measures define how users can interact with the system and protect sensitive information, and system monitoring policies establish how the organization will track system performance and detect anomalies that could indicate a potential security threat. Collectively, these elements form a structured approach to managing and mitigating risks associated with computer systems, making them essential components of a comprehensive computer risk policy.