CompTIA Security+ (SY0-501) — Question 608

A manager makes an unannounced visit to the marketing department and performs a walk-through of the office. The manager observes unclaimed documents on printers. A closer look at these documents reveals employee names, addresses, ages, birth dates, marital/dependent statuses, and favorite ice cream flavors. The manager brings this to the attention of the marketing department head. The manager believes this information to be PII, but the marketing head does not agree.
Having reached a stalemate, which of the following is the MOST appropriate action to take NEXT?

Answer options

• A. Elevate to the Chief Executive Officer (CEO) for redress; change from the top down usually succeeds.
• B. Find the privacy officer in the organization and let the officer act as the arbiter.
• C. Notify employees whose names are on these files that their personal information is being compromised.
• D. To maintain a working relationship with marketing, quietly record the incident in the risk register.

Correct answer: B

Explanation

The most appropriate next step is to find the privacy officer in the organization to act as the mediator, as they have the expertise to address issues related to PII. Elevating the issue to the CEO may not be necessary at this stage, while notifying employees might create unnecessary panic. Quietly recording the incident does not address the underlying problem of potential PII exposure.