312-50V10 · Question #810
Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, em
The correct answer is A. Warning to those who write password on a post it note and put it on his/her desk. When employees are actively committing visible security violations like posting passwords at their desks, the immediate first action is direct behavioral correction through a warning.
Question
Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn't log out from emails or other social media accounts, and etc. After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons. Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand to importance of keeping confidential information a secret?
Options
- AWarning to those who write password on a post it note and put it on his/her desk
- BDeveloping a strict information security policy
- CInformation security awareness training
- DConducting a one to one discussion with the other employees about the importance of information
How the community answered
(22 responses)- A91% (20)
- C5% (1)
- D5% (1)
Why each option
When employees are actively committing visible security violations like posting passwords at their desks, the immediate first action is direct behavioral correction through a warning.
Issuing a direct warning to employees visibly displaying passwords on post-it notes is the most immediate corrective action because it stops an active, observable security violation in real time without any delay. This creates immediate accountability and signals that security behavior will be enforced before formal programs are developed or rolled out. Addressing the most critical and currently active risk first is the standard security triage principle.
Developing a security policy is necessary long-term but requires drafting, review, and approval time, meaning the active violations continue unaddressed in the interim.
Security awareness training is a valuable long-term investment but cannot be designed and delivered instantly, and it does not immediately stop the employees currently exposing credentials.
One-on-one discussions are too time-consuming to scale across all affected employees quickly enough to stop the widespread, ongoing violations happening right now.
Concept tested: Security policy enforcement and immediate violation remediation
Source: https://csrc.nist.gov/publications/detail/sp/800-50/final
Topics
Community Discussion
No community discussion yet for this question.