Exam CISSP topic 1 question 248 discussion

The correct answer is A. Publish an acceptable usage policy. Before allowing personnel to access social media from a corporate device or user account, the organization should publish an acceptable usage policy that outlines the acceptable use of social media and the consequences of violating the policy. This policy should be communicated to all personnel and should cover topics such as the types of social media that are allowed, the types of content that can be posted, and the risks associated with social media use. The policy should also outline the procedures for reporting incidents and the consequences of violating the policy.

D. This question asks for the FIRST step. The first step is to write a doc on how to access, then you publish it and train employees. It has to be written first.

CISSP Official Study Guide pg 96 "Workers can easily waste time and system resources by interacting with social media when that task is not part of their job description. The company's acceptable user policy (AUP) should indicate that workers need to focus on work while at work rather than spending time on personal or non-work-related tasks."

AUP.. Employees sign when they start as it applies to Corporate owned assets.

An acceptable usage policy (AUP) is a document that outlines the acceptable and prohibited behaviors for personnel when using organizational resources, such as computers, networks, and user accounts. This includes guidelines for the use of social media, both in terms of content and interactions.

I go with C. The security awareness training should come first before AUP.

AUP is done first as it has to be sign when allowed to use a corporate device. So A.

C is correct and encompasses everything the employee should follow in this scenario.

First conduct security awareness training on the dangers of social media and social engineering, then publish an acceptable use policy. Social media can be a means by which workers intentionally or accidentally distribute internal, confidential, proprietary, or PII data to outsiders. This may be accomplished by typing in messages or participating in chats in which they reveal confidential information. This can also be accomplished by distributing or publishing sensitive documents.