You are the CISO of an IC design house and report to the CEO directly; confidentiality of customer privacy, and research and development data is the most concern. The use of any USB devices violates the acceptable usage policy (AUP). A customer account manager reports that many crucial customers are complaining about the efficiency of uploading files to the company’s file server. He suggests that the data can be transferred using a USB flash drive to streamline the collaboration process. As a CISO, what should you do FIRST?
A. Add an exception to the acceptable usage policy (AUP) to allow the use of USB flash drive as security is a business enabler. To help the business deliver value is the ultimate responsibility of a CISO.
B. Reject the suggestion because it violates the acceptable usage policy (AUP), and the use of USB flash drive is highly risky.
C. Side with the account manager and submit a proposal in favor of the suggestion to the CEO.
D. Prepare a business case and submit it to the CEO for final approval.

This post, Informed Decisions, states the justification.