nerdexam
(ISC)2

CISSP · Question #1459

A colleague who recently left the organization asked a security professional for a copy of the organization's confidential incident management policy. Which of the following is the BEST response to th

The correct answer is D. Submit the request using company official channels to ensure the policy is okay to distribute.. When a former employee requests confidential internal documents, the request must be routed through official organizational channels to ensure proper authorization and data governance controls are followed.

Submitted by packet_pusher· Mar 5, 2026Security and Risk Management

Question

A colleague who recently left the organization asked a security professional for a copy of the organization's confidential incident management policy. Which of the following is the BEST response to this request?

Options

  • AEmail the policy to the colleague as they were already part of the organization and familiar with it.
  • BDo not acknowledge receiving the request from the former colleague and ignore them.
  • CAccess the policy on a company-issued device and let the former colleague view the screen.
  • DSubmit the request using company official channels to ensure the policy is okay to distribute.

How the community answered

(49 responses)
  • A
    4% (2)
  • B
    8% (4)
  • C
    14% (7)
  • D
    73% (36)

Why each option

When a former employee requests confidential internal documents, the request must be routed through official organizational channels to ensure proper authorization and data governance controls are followed.

AEmail the policy to the colleague as they were already part of the organization and familiar with it.

Emailing confidential policy documents to a former employee bypasses authorization controls and violates data classification and need-to-know principles, as the individual no longer has an active, sanctioned relationship with the organization.

BDo not acknowledge receiving the request from the former colleague and ignore them.

Ignoring the request entirely is unprofessional and does not follow proper security incident or data request handling procedures, which typically require acknowledgment and formal processing.

CAccess the policy on a company-issued device and let the former colleague view the screen.

Allowing a former employee to view a confidential policy on a company device - even passively - still constitutes unauthorized disclosure of sensitive information to someone who no longer has sanctioned access rights.

DSubmit the request using company official channels to ensure the policy is okay to distribute.Correct

Submitting the request through official company channels ensures that data classification policies, need-to-know principles, and authorization controls are properly applied before any sensitive information is shared. A former employee no longer has an inherent right to access confidential policies, and official channels allow legal, HR, or management to determine if disclosure is appropriate. This follows the principle of least privilege and proper information security governance.

Concept tested: Data governance and access control for former employees

Source: https://www.nist.gov/system/files/documents/2017/05/09/SP800-53Ar4.pdf

Topics

#Data classification#Information sharing#Employee termination#Security policies

Community Discussion

No community discussion yet for this question.

Full CISSP Practice