It should be B - Developing security awareness training since it is on employee-owned smartphones, awareness would be the best security control of it

The correct solution would be (D) as the organization should be able to wipe the device in case it is stolen or misplaced. A. Could cause potential legal issues B. Developing security awareness training would do nothing to control the situation but only make users aware of the situation. C. Requiring the backup of the organization s data by the user does not address the fact that a device may be stolen or misplaced.

I don't believe awareness training is a control, will have to go with D on this one.

D. Establishing the authority to remote wipe I'm going with D becuase, what if the threat is an insider threat. Maybe one of your employees decides to misuse company data deliberately. Training will not help in this situation. Remote Wipe is the best option in this scenario.

This is D, if lost you need to delete the sensitive data B. Education does nothing. Everyone knows how to use and anyone could lose a phone.

D. Establishing the authority to remote wipe

Developing security awareness training (option B) is beneficial, but it alone may not provide sufficient control over the data stored on employee-owned smartphones. So the correct Option D

Does it make sense if you want to wipe other people's data on the same phone? Unless you install a separate enterprise OS. So user awareness is the best solution.

Option D

The best security control for what exactly ? I dont think training user is control , D is control but its very far fetched since you allow users to store and use data. It doesn’t feel like a realistic question .

I believe B is the better of the two... educating the user on appropriate use cases and how to manage the data etc... comparing this to option D which is the single control to wipe it once reported the phone is missing etc... user education provides that much more value