In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras. Which of the following should be the information security manager's FIRST course of action?
In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras. Which of the following should be the information security manager's FIRST course of action?
Conducting a risk assessment should be the first course of action. The issuance of smartphones and tablets with web cameras in violation of a policy introduces potential security risks that need to be evaluated. A risk assessment will help the information security manager understand the extent of these risks and their possible impact on the organization. This evaluation is crucial before making any decisions on policy revisions, communication strategies, or identifying root causes, as it provides a basis for informed decision-making and prioritizing subsequent actions.
The answer should be C. Communicate the acceptable use policy as that is the only one that addresses the issue now. Rationale: A. Revise the policy - This will take time and not do anything for the status quo. B. Conduct a risk assessment - This should be done after the policy has been communicated cause the risk has already occurred. They have phones. The question now is how bad is it going to be. If it's going to be bad as a stop-gap people need to be reminded of the acceptable use policy. D. Perform a root cause analysis - For what? We already know the cost.
The information security manager's FIRST course of action should be to communicate the acceptable use policy. Therefore, the correct answer is option C.
I think so too
i vote ....B. Conduct a risk assessment.
I went with B because the question states the use of cameras in the office, but the users were "issued" the phones and tablets with web enabled cameras. For me, the question did not explicitly state that it was an acceptable use policy that prevent the usage of cameras, could have been a security policy. It sounds to me like new technology was introduced and a risk assessment needs to be conducted.
In two companies I've worked for, prohibiting taking photos or videos inside office premises was defined in AUP.
first to conduct the risk assessment
B- There is no point of C when based on the question, the policy does not allow the use of cameras therefore, no acceptable use policy occurs addressing that. Communicating existing policy would only prohibit the use of cameras.
I think B. The reason being it's already a violation of policy which means a policy revision should occur. Conduct risk assessment, present it to stake holders, revise policy and publish acceptable use policy after all this.
employees have been "issued smartphones and tablet computers" with enabled web cameras To my understanding, "issued" was done by the company.
employees have been issued smartphones and tablet computers with enabled web cameras
B. Conduct a risk assessment. The information security manager's first course of action should be to conduct a risk assessment to understand the potential security risks and implications associated with the use of smartphones and tablet computers with enabled web cameras in violation of the policy. This assessment will help identify the specific security risks, assess their likelihood and impact, and determine appropriate mitigation measures. Once the risks are understood, the information security manager can then proceed with revising the policy, communicating the acceptable use policy, and performing a root cause analysis as necessary.
C. Communicate the acceptable use policy. Before revising the policy or conducting a risk assessment, it's essential to ensure that employees are aware of the existing policy and the reasons behind it. By communicating the acceptable use policy clearly to employees, including the prohibition of camera use at the office, the manager can help ensure that employees understand the rules and their importance.
Option C may not be correct because “AUP should be communicated before employees have been issued smartphones and tablet computers”
B is correct