Exam CISM topic 1 question 776 discussion

The answer should be C. Communicate the acceptable use policy as that is the only one that addresses the issue now. Rationale: A. Revise the policy - This will take time and not do anything for the status quo. B. Conduct a risk assessment - This should be done after the policy has been communicated cause the risk has already occurred. They have phones. The question now is how bad is it going to be. If it's going to be bad as a stop-gap people need to be reminded of the acceptable use policy. D. Perform a root cause analysis - For what? We already know the cost.

The information security manager's FIRST course of action should be to communicate the acceptable use policy. Therefore, the correct answer is option C.

B - helps to understand the potential risks and impacts associated with the use of web cameras in the office.

first to conduct the risk assessment

B- There is no point of C when based on the question, the policy does not allow the use of cameras therefore, no acceptable use policy occurs addressing that. Communicating existing policy would only prohibit the use of cameras.

I think B. The reason being it's already a violation of policy which means a policy revision should occur. Conduct risk assessment, present it to stake holders, revise policy and publish acceptable use policy after all this.

employees have been "issued smartphones and tablet computers" with enabled web cameras To my understanding, "issued" was done by the company.

employees have been issued smartphones and tablet computers with enabled web cameras

B. Conduct a risk assessment. The information security manager's first course of action should be to conduct a risk assessment to understand the potential security risks and implications associated with the use of smartphones and tablet computers with enabled web cameras in violation of the policy. This assessment will help identify the specific security risks, assess their likelihood and impact, and determine appropriate mitigation measures. Once the risks are understood, the information security manager can then proceed with revising the policy, communicating the acceptable use policy, and performing a root cause analysis as necessary.

C. Communicate the acceptable use policy. Before revising the policy or conducting a risk assessment, it's essential to ensure that employees are aware of the existing policy and the reasons behind it. By communicating the acceptable use policy clearly to employees, including the prohibition of camera use at the office, the manager can help ensure that employees understand the rules and their importance.

i vote ....B. Conduct a risk assessment.

Option C may not be correct because “AUP should be communicated before employees have been issued smartphones and tablet computers”

I went with B because the question states the use of cameras in the office, but the users were "issued" the phones and tablets with web enabled cameras. For me, the question did not explicitly state that it was an acceptable use policy that prevent the usage of cameras, could have been a security policy. It sounds to me like new technology was introduced and a risk assessment needs to be conducted.

B is correct