A security manager has received the following email from the Chief Financial Officer (CFO):
“While I am concerned about the security of the proprietary financial data in our ERP application, we have had
a lot of turnover in the accounting group and I am having a difficult time meeting our monthly performance
targets. As things currently stand, we do not allow employees to work from home but this is something I am
willing to allow so we can get back on track. What should we do first to securely enable this capability for my
group?” Based on the information provided, which of the following would be the MOST appropriate response to
the CFO?

A.
Remote access to the ERP tool introduces additional security vulnerabilities and should not be allowed.

B.
Allow VNC access to corporate desktops from personal computers for the users working from home.

C.
Allow terminal services access from personal computers after the CFO provides a list of the users working
from home.

D.
Work with the executive management team to revise policies before allowing any remote access.