Implementing Controls to Address CEO's Concerns

The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis.

However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country.

The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk.

Which of the following would be BEST to mitigate the CEO's concerns? (Choose two.)

A.

Geolocation

B.

Time-of-day restrictions

C.

Certificates

D.

Tokens

E.

Geotagging

F.

Role-based access controls.

AB.

The CEO wants to allow employees to work from home anytime during business hours, but also wants to ensure that employees are not taking advantage of this flexibility by working from high-risk countries or outsourcing work to third-party organizations in other countries. The CIO believes that basic controls can be implemented to mitigate these risks. Two of the best controls to mitigate the CEO's concerns are:

A. Geolocation: Geolocation is the process of determining the physical location of a device or user. By implementing geolocation controls, the organization can track the location of its employees and prevent them from accessing company resources from high-risk countries. For example, if an employee tries to access company resources from a location that is known to be a high-risk country, the system could deny access or require additional authentication.

B. Time-of-day restrictions: Time-of-day restrictions can limit when employees can access company resources. By implementing time-of-day restrictions, the organization can prevent employees from accessing company resources outside of normal business hours or during holidays. For example, the system could be configured to allow access only during normal business hours or during specific times when the employee is expected to be working.

C. Certificates: Certificates are digital documents that can be used to authenticate the identity of a user or device. While certificates can be used to authenticate employees, they are not the best control for mitigating the CEO's concerns about employees working from high-risk countries or outsourcing work to third-party organizations.

D. Tokens: Tokens are physical or digital devices that can be used to authenticate the identity of a user or device. Like certificates, tokens can be used to authenticate employees, but they are not the best control for mitigating the CEO's concerns about employees working from high-risk countries or outsourcing work to third-party organizations.

E. Geotagging: Geotagging is the process of adding geographical identification metadata to media such as photos or videos. While geotagging can be used to track the location of employees, it is not the best control for mitigating the CEO's concerns about employees working from high-risk countries or outsourcing work to third-party organizations.

F. Role-based access controls: Role-based access controls (RBAC) restrict access to resources based on a user's role in the organization. While RBAC can be a useful control for managing access to resources, it is not the best control for mitigating the CEO's concerns about employees working from high-risk countries or outsourcing work to third-party organizations.

In conclusion, the best controls to mitigate the CEO's concerns about employees working from high-risk countries or outsourcing work to third-party organizations are geolocation and time-of-day restrictions.