Mobile code is the code transmitted across a network and executed on a remote machine. Mobile code developers have little, if any, control over the runtime environment. However, special security concerns of mobile code become relevant. Which of the following is the most effective control to mitigate the risk of mobile codes?
A. Issue a program policy
B. Publish organizational standards
C. Establish step-by-step procedures
D. Create security baselines

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Publish organizational standards.

“Effective” means successful in producing a desired or intended result. It’s about doing the right things. Effective risk treatments reduce the risk to the extent that is acceptable to the management. Mitigating risk either lowers the likelihood, reduces the loss or impact, or both.

To be effective, the risk appetite or the risk criteria of acceptance for mitigating the risk of mobile codes have to be identified. Applying any controls without knowing the control objectives is ineffective.

Policies, standards, and procedures are mandatory administrative controls, while security baselines are technical controls.

• A policy stands for the “intentions and direction of an organization, as formally expressed by its top management.” (ISO 22301) It is effective if the applied controls meet the intentions of the management or the policy.
• However, a program policy is intended to initiate a program, say risk management program or business continuity program. A program policy is inappropriate for dealing with mobile codes. An issue-specific or system-specific policy is much better; I would suggest any of the two as the correct answer except the program policy.
• Procedures are intended to do things right. They are about “correctness.” For example, a procedure may assure creating security baselines without mistakes, but it cannot assure the security baselines meet the requirements of organizational standards.
• Security baselines are snapshots of security settings, configurations, or images. They are technical controls directed by policies, standards, and procedures. Creating security baselines without compliance with policies and standards is useless. Security baselines are typically created based on organizational standards. It is because the organizational standard mandates Windows 10 or higher, that the security baseline is created as a snapshot or image.
• The risk criteria of acceptance for mitigating the risk of mobile codes can be appropriately reflected in the organizational standards in this case so that the criteria of effectiveness can be established.

The justification above stands for my opinion and perspective only.  There’s no absolutely correct or right answer. Please feel free to comment to contribute your thoughts or perspectives.

Well-Known Mobile Codes

• JavaScript
• Adobe Flash
• Microsoft ActiveX
• Java Applet

References

• Unsafe Mobile Code
• Code mobility