Certified Information Security Manager (CISM) — Question 560

An organization's security policy is to disable access to USB storage devices on laptops and desktops. Which of the following is the STRONGEST justification for granting an exception to the policy?

Answer options

• A. Users accept the risk of noncompliance.
• B. The benefit is greater than the potential risk.
• C. USB storage devices are enabled based on user roles.
• D. Access is restricted to read-only.

Correct answer: B

Explanation

The correct answer is B because when the benefits of allowing USB storage access significantly surpass the potential risks, it justifies an exception to the policy. The other options either suggest a lack of acknowledgment of risk (A), do not address the balance of risk and benefit (C), or only mitigate risk without providing a strong rationale for the exception (D).