An employee’s sharing pictures taken in the office or daily life is subject to data disclosure. Which of the following security control is the most effective and should be implemented first to ensure security?
A. Data Loss Prevention (DLP) solutions
B. Bring Your Own Device (BYOD) solutions
C. Acceptable use policy (AUP)
D. Security awareness training
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Acceptable use policy (AUP).
Most of the security practice questions will treat security awareness as the best solution to social engineering attacks. It can be, but it depends on the context of the question. The keywords of this question are effective and first.
Any effort that is not compliant with the organizational policies is in vain. In other words, a policy determines the effectiveness of security controls and should be established first. Policies direct the implementation of Data Loss Prevention (DLP) solutions, Bring Your Own Device (BYOD) solutions, and Security awareness training.
According to ISO 27001, all employees should receive regular updates in organizational policies and procedures. This is typically done through awareness training and education. If policies are not established, they can’t be communicated to employees in awareness training.
- A policy stands for the “intentions and direction of an organization, as formally expressed by its top management.” (ISO 22301)
- It affects people’s behavior and directs an organization’s operations.
- Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. (Wikipedia)
- Effectiveness is the extent to which planned activities are realized and planned results are achieved. (ISO 9000)
- A.7 Human resource security
To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
- A.7.2 During employment
- A.7.2.2 Information security awareness, education, and training
- All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.