Certified in Risk and Information Systems Control (CRISC) — Question 447

An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Answer options

• A. Industry best practices
• B. Organizational strategy
• C. Organizational policy
• D. Employee code of conduct

Correct answer: C

Explanation

The correct answer is C, as organizational policy outlines the rules and guidelines for using such monitoring systems, ensuring compliance with legal and ethical standards. While industry best practices, organizational strategy, and employee codes of conduct can influence usage, they do not provide the formal framework needed for operational implementation.