CISSP test question LEAST effective security control

Which of the following is the LEAST effective security control regarding sensitive data stored on mobile devices?

A Back up all devices to an organizationally managed repository.

B Implement full-volume encryption on all mobile devices.

C Require that all mobile devices be wipeable remotely if stolen or misplaced.

D Enact a policy prohibiting the access or storage of sensitive corporate data on personal mobile devices.
CISSP Practice Exams, Fifth Edition posts the correct answer as D, but the explanation for A explains:

A is incorrect because backing up all devices to an organizationally managed repository is an extremely important measure to protect corporate data, and one that is unlikely to result in intentional user circumvention.

My opinion is A is the obvious solution since backing up data to another outlet has nothing to do with the security control of the data on the original device/location.
Would someone please explain how copying data to another place have anything to do with the security of the data on the original device, in this case a mobile device? Therefore A should be the answer to the question.

Find more posts tagged with

CISSP test question LEAST effective security control

Comments

csgauss

here's the full answer if you need it

Answer:

D. Merely enacting a policy does not guarantee that it will be followed to good effect, particularly if it is one that is both difficult to enforce technically and unpopular among users. The use of personal devices to store and process corporate data such as e-mails and office documents is extremely popular and widespread. Consequently, realistic technical measures must be brought to bear.

B is also incorrect for the exact same reasons as A.

C is incorrect because, although some users will likely resist agreeing to what they perceive as a draconian measure, requiring remote wiping capability is a legitimate and effective security control, and users' agreement to it can be made a condition to the use of even personally owned devices in the corporate environment. Consent can and should be documented as part of a signed employee agreement, and the approved device should be inventoried as a corporate asset.

csgauss

short version: I read the question as the security of the data on the mobile device NOT the loss of the data (with respect to the business) on the mobile device.
for example, if the phone is stolen, the business still has the data (integrity and availability), but the security of the data (in this case confidentiality) has been completely compromised.

EricO

I think of "security" as all of the CIA triad, not just confidentiality. I think the question could have been worded a little better, but of the choices, I would have selected D as the least effective.

AveryCarlton

Thank you so much for answering.