To ensure security when employees use their own smart devices to access organizational applications, the best approach is to allow only pre-approved devices that meet the organization’s security standards.
Device Security & Compliance: Approved devices are verified for security measures like encryption, mobile device management (MDM), and antivirus protection.
Risk Management: Restricting access to pre-approved devices reduces the risk of malware, unauthorized access, and vulnerabilities.
IT Control & Monitoring: IT can enforce security updates, compliance policies, and access control mechanisms on pre-approved devices.
Option A (Using a jailbroken or rooted smart device feature): Jailbroken or rooted devices remove security protections and create severe security vulnerabilities.
Option C (Obtaining written assurance from the employee that security policies and procedures are followed): Written assurances alone are not a security measure; technical controls must be enforced.
Option D (Introducing a security question known only by the employee): Security questions are weak authentication measures and do not verify the legitimacy of a device.
IIA's GTAG on Information Security Management stresses the importance of device security and requiring IT-approved devices.
NIST Special Publication 800-124 (referenced in IIA’s IT Audit Guidance) highlights best practices for securing mobile devices in an enterprise setting, recommending pre-approved devices.
Why Option B is Correct:Why Other Options Are Incorrect:IIA References:Thus, the most appropriate answer is B. Using only smart devices previously approved by the organization.
