CISSP test question LEAST effective security control
Which of the following is the LEAST effective security control regarding sensitive data stored on mobile devices?
A Back up all devices to an organizationally managed repository.
B Implement full-volume encryption on all mobile devices.
C Require that all mobile devices be wipeable remotely if stolen or misplaced.
D Enact a policy prohibiting the access or storage of sensitive corporate data on personal mobile devices.
CISSP Practice Exams, Fifth Edition posts the correct answer as D, but the explanation for A explains:
CISSP Practice Exams, Fifth Edition posts the correct answer as D, but the explanation for A explains:
A is incorrect because backing up all devices to an organizationally managed repository is an extremely important measure to protect corporate data, and one that is unlikely to result in intentional user circumvention.
My opinion is A is the obvious solution since backing up data to another outlet has nothing to do with the security control of the data on the original device/location.
Would someone please explain how copying data to another place have anything to do with the security of the data on the original device, in this case a mobile device? Therefore A should be the answer to the question.
Would someone please explain how copying data to another place have anything to do with the security of the data on the original device, in this case a mobile device? Therefore A should be the answer to the question.
Comments
-
csgauss Member Posts: 3 ■■□□□□□□□□here's the full answer if you need itAnswer:D. Merely enacting a policy does not guarantee that it will be followed to good effect, particularly if it is one that is both difficult to enforce technically and unpopular among users. The use of personal devices to store and process corporate data such as e-mails and office documents is extremely popular and widespread. Consequently, realistic technical measures must be brought to bear.A is incorrect because backing up all devices to an organizationally managed repository is an extremely important measure to protect corporate data, and one that is unlikely to result in intentional user circumvention.B is also incorrect for the exact same reasons as A.C is incorrect because, although some users will likely resist agreeing to what they perceive as a draconian measure, requiring remote wiping capability is a legitimate and effective security control, and users' agreement to it can be made a condition to the use of even personally owned devices in the corporate environment. Consent can and should be documented as part of a signed employee agreement, and the approved device should be inventoried as a corporate asset.
-
csgauss Member Posts: 3 ■■□□□□□□□□short version: I read the question as the security of the data on the mobile device NOT the loss of the data (with respect to the business) on the mobile device.
for example, if the phone is stolen, the business still has the data (integrity and availability), but the security of the data (in this case confidentiality) has been completely compromised. -
EricO Member Posts: 94 ■■■□□□□□□□I think of "security" as all of the CIA triad, not just confidentiality. I think the question could have been worded a little better, but of the choices, I would have selected D as the least effective.
-
AveryCarlton Member Posts: 1 ■□□□□□□□□□Thank you so much for answering.I am looking for information online on effective security control regarding sensitive data stored on mobile devices and I am so glad I found your post where I found my answer. I can't believe while searching for your post link online, I also found casinosanalyzer website in which I found online casinos that accept prepaid cards with sites and also with reviews. Now, I can easily make a lot of money while staying at home only. I don't have to go anywhere and to work for someone to make money.