Certified Information Security Manager (CISM) — Question 415
In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras. Which of the following should be the information security manager's FIRST course of action?
Answer options
- A. Revise the policy.
- B. Conduct a risk assessment.
- C. Communicate the acceptable use policy.
- D. Perform a root cause analysis.
Correct answer: C
Explanation
The correct answer is C, as communicating the acceptable use policy ensures that employees understand the rules regarding camera usage and can help mitigate potential violations. Revising the policy (A) or conducting a risk assessment (B) may be necessary later, but the immediate step is to clarify existing expectations. Performing a root cause analysis (D) is not relevant at this stage, as the need is to inform rather than investigate.