CISSP · Question #1459
A colleague who recently left the organization asked a security professional for a copy of the organization's confidential incident management policy. Which of the following is the BEST response to th
The correct answer is D. Submit the request using company official channels to ensure the policy is okay to distribute.. When a former employee requests confidential internal documents, the request must be routed through official organizational channels to ensure proper authorization and data governance controls are followed.
Question
Options
- AEmail the policy to the colleague as they were already part of the organization and familiar with it.
- BDo not acknowledge receiving the request from the former colleague and ignore them.
- CAccess the policy on a company-issued device and let the former colleague view the screen.
- DSubmit the request using company official channels to ensure the policy is okay to distribute.
How the community answered
(49 responses)- A4% (2)
- B8% (4)
- C14% (7)
- D73% (36)
Why each option
When a former employee requests confidential internal documents, the request must be routed through official organizational channels to ensure proper authorization and data governance controls are followed.
Emailing confidential policy documents to a former employee bypasses authorization controls and violates data classification and need-to-know principles, as the individual no longer has an active, sanctioned relationship with the organization.
Ignoring the request entirely is unprofessional and does not follow proper security incident or data request handling procedures, which typically require acknowledgment and formal processing.
Allowing a former employee to view a confidential policy on a company device - even passively - still constitutes unauthorized disclosure of sensitive information to someone who no longer has sanctioned access rights.
Submitting the request through official company channels ensures that data classification policies, need-to-know principles, and authorization controls are properly applied before any sensitive information is shared. A former employee no longer has an inherent right to access confidential policies, and official channels allow legal, HR, or management to determine if disclosure is appropriate. This follows the principle of least privilege and proper information security governance.
Concept tested: Data governance and access control for former employees
Source: https://www.nist.gov/system/files/documents/2017/05/09/SP800-53Ar4.pdf
Topics
Community Discussion
No community discussion yet for this question.