An external auditor visits the human resources department and performs a physical security assessment.
The auditor observed documents on printers that are unclaimed.
A closer look at these documents reveals employee names, addresses, ages, and types of medical and dental coverage options each employee has selected.
Which of the following is the MOST appropriate actions to take?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The correct answer is C. Retrieve the documents, label them with a PII cover sheet, and return them to the printer.
Explanation: The documents contain personally identifiable information (PII) which is sensitive and confidential information that should be protected from unauthorized access, use, or disclosure. The fact that the documents are unclaimed means that anyone could potentially access them and compromise the privacy of the employees whose information is contained in them.
Option A, flipping the documents face down, is not a suitable solution because it does not provide any protection for the PII. Anyone can still access the documents and view the information.
Option B, shredding the documents and letting the owner print a new set, is not appropriate because it would require the owner to know that the documents were shredded and to reprint them. Also, the documents may contain confidential information that cannot be easily replaced.
Option D, reporting to the human resources manager that their personnel are violating a privacy policy, may be necessary if the violation is significant or if it is part of the auditor's mandate to report such violations. However, in this case, the most appropriate action is to take immediate steps to protect the confidentiality of the PII.
Option C, retrieving the documents, labeling them with a PII cover sheet, and returning them to the printer, is the best course of action. This will ensure that the documents are not accessible to unauthorized individuals, and it will also alert anyone who sees the documents that they contain sensitive PII. The PII cover sheet should clearly indicate that the documents contain confidential information and should not be viewed or disclosed to anyone who does not have a need to know.