How to Address a CEO's Request for Access to Corporate Documents from a Non-Compliant Mobile Device

C.

When a CEO requests access to corporate documents from a mobile device that does not comply with organizational policy, the information security manager should FIRST evaluate the business risk (Option C). This is because the information security manager needs to understand the potential impact of granting the CEO access to the corporate documents from an unsecured device. Evaluating the business risk involves determining the likelihood and potential impact of a security incident occurring due to the CEO's request.

Once the business risk is evaluated, the information security manager can then determine the appropriate next steps. If the business risk is deemed acceptable, the information security manager can initiate an exception approval process (Option D) to allow the CEO access to the documents. The exception approval process should involve an appropriate level of management, such as the CEO's direct supervisor or a committee responsible for approving exceptions.

If the business risk is deemed unacceptable, the information security manager may need to deploy additional security controls (Option B) to reduce the risk associated with granting the CEO access to the documents from an unsecured device. This may involve implementing additional authentication or encryption controls to ensure the confidentiality and integrity of the corporate documents.

In some cases, it may be appropriate to evaluate a third-party solution (Option A) to provide secure access to the corporate documents from the CEO's mobile device. However, this should only be considered once the business risk is evaluated and the appropriate security controls are put in place to mitigate any potential risks.