Certified in the Governance of Enterprise IT (CGEIT) — Question 136

Which of the following should be the FIRST step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business?

Answer options

• A. Post awareness messages throughout the facility.
• B. Develop and disseminate an applicable policy.
• C. Provide training on how to protect data on personal devices.
• D. Require employees to read and sign a disclaimer.

Correct answer: B

Explanation

The correct answer is B because developing and disseminating an applicable policy lays the foundation for acceptable use guidelines. Without a clear policy, awareness messages, training, or disclaimers would lack effective context and enforcement, making it challenging for employees to understand their responsibilities regarding personal devices.