Exam CISA topic 1 question 869 discussion

You're correct in highlighting that without security awareness training, employees might inadvertently cause data leakage in various ways, even if desktop encryption is in place. For instance, they might fall victim to phishing attacks, mishandle sensitive data, use insecure communication channels, or neglect other critical security practices. Lack of security awareness training can lead to a wide range of risks, including data leakage through multiple vectors beyond just unencrypted devices. Employees who are unaware of security best practices are more likely to make mistakes that can compromise data security, regardless of whether their desktops are encrypted. Given this perspective, Option C: Security awareness training is not provided to staff could indeed be considered the greatest risk, as it affects the overall security behavior and practices of the entire organization, potentially leading to data leakage in numerous ways.

B. Desktop encryption is not required. The decision to not encrypt desktops can also pose significant security risks, but it does not immediately increase the risk of a data breach compared to the ability to work remotely. Encryption is an important security measure, but remote work management may have a greater impact when balancing security measures with the flexibility of remote work.

I say A B would be correct if it was a laptop instead of a desktop. They tricked us. Desktops are not a great concern as there are compensating controls like physical security, cctv, censors and so on ..

B. There is no requirement for desktops to be encrypted. Not requiring desktops to be encrypted can pose a significant risk because if a laptop or desktop computer is lost or stolen, the data stored on it can be easily accessed by unauthorized individuals. Encryption helps protect the data even if the physical device falls into the wrong hands. Without encryption, sensitive information could be exposed, potentially leading to data leakage, data breaches, and compliance violations. While the other options also present security risks, such as remote work without proper security measures (Option A), lack of security awareness training (Option C), and outdated security policies (Option D), not encrypting desktops can have more immediate and direct consequences in terms of data leakage.

B is correct, security awareness training can educate staff about the risks of data leakage and how to prevent it. However, failing to encrypt desktops leaves data vulnerable to theft, and this risk cannot be fully mitigated without encryption.

B is correct, this is about Data leakage

A. Staff is allowed to work remotely.

C is the answer

The answer should be C. I'm trying to understand how B is the answer.