Certified in Risk and Information Systems Control (CRISC) — Question 1087

During an after-hours compliance review, a risk practitioner discovers sensitive documents on an employee’s desk in violation of company policy. Which of the following should the risk practitioner’s do NEXT?

Answer options

• A. Securely dispose of the documents.
• B. Recommend provision of secure document storage.
• C. Request an exception to the clear desk policy.
• D. Provide the employee with refresher training.

Correct answer: B

Explanation

The correct answer is B because recommending secure document storage addresses the root cause of the violation and helps prevent future occurrences. Options A and D deal with the immediate situation but do not provide a long-term solution. Option C is inappropriate as it seeks to bypass established policies rather than reinforce compliance.