Exam CISM topic 1 question 70 discussion

Questions to ask the IM manager, 1. If i don't have a policy but a MDM - would I be able to ensure security? 2. If i have a policy but not a MDM - would I be able to ensure seucurity? I would say the likelihood of saying Yes 1 more over than 2, technincal control is generally more effective than administrative controls in the real world.

It's not a corporate device, it's a user's device. You can't completely take control and manage personal devices through MDM.

It is B as an AUP would heavily rely on a voluntary or trust-based compliance. A technical solution would provide the means to enforce any security standards posed by the policy.

I think the key word in the question is "adhere" the ONLY thing that would do this is C deploy and MDM. An AUP is also a must but it won't make users "adhere to the security standards.

The questions ask for a deterrent control for the users to abide by. Standards are created from policies so Policies is the correct answer, if the question leans towards a corrective control then it will be MDM. Question clearly states what has to be done on the user side so that the user abide by the standards, it will be policy.

C is the best choice, we need to understand that this is managerial position, and the most thing is policy has to be establish first, then the next is how it will be implemented now MDM comes it which are works for engineer.

B - they are talking about standards not policies. Also the word "ensure" means "make them"comply, while an AUP, would "trust they do"

Modern tendencies tend to encourage implementing MDM for BYOD, as that's the only way to guarantee adherence to standards. BTW, the questions also says "standards", not "policies" so AUP is also not as relevant here. You are enforcing security standards (and policies if you have them) via MDM.

we just agree to disagree :)

Deploying a device management solution is the most effective way to ensure that users adhere to security standards in a bring your own device (BYOD) program. A device management solution allows the organization to enforce security policies, monitor compliance, and remotely manage and secure devices that are used to access organizational resources. This ensures that devices conform to security standards and reduces the risk of security incidents associated with BYOD.

Implementing a device management solution allows the organization to enforce security standards on the devices that connect to the corporate network. This can include features such as device authentication, encryption, remote wiping capabilities, and other security controls. By deploying a device management solution, the organization can have better control over the security posture of devices used in the BYOD program. While publishing standards on the intranet (option A) and establishing an acceptable use policy (option C) are important communication measures, they may not guarantee adherence. Monitoring user activities on the network (option D) is reactive and may not proactively enforce security standards. A device management solution provides a more proactive and effective means of ensuring adherence to security standards for BYOD.

It is very straightforward. To make an user adhere to standard must have an acceptable use policy which they are supposed to abide by. The policies can be imported into device management solution as a technical control to ensure the policy is enforced thus answer C should be appropriate and should already include option B.

C. Establish an acceptable use policy. An acceptable use policy (AUP) outlines the rules and guidelines that users must follow when using their own devices for work purposes. It sets clear expectations regarding security practices, data protection, and acceptable behaviors. Users are required to read, understand, and agree to the AUP before they are granted access to company resources with their personal devices.

In a CORPORATE device absolutely B, BUT in a personal one (BYOD) the first action is C

I am going with B here because the emphasized word was "Ensure". Users can read and sign AUPs till the cows come home, but that does not necessarily mean they will adhere to it. If the bolded word was "First" or "Primarily" then maybe AUPs will be the correct answer. If Device management is deployed, people will have no option but to be on their best behavior. (Yes, I know it is their personal device) but if they are conducting organization business with it, and you agree to use your device, there will be some management don't you agree?

Agree with albin_kurti 3

Policy comes before implementing a solution