When implementing Mobile Device Management (MDM) software, organizations must balance security and employee privacy. Since MDM allows remote wiping of data, it is essential to ensure that personal data remains protected and is not accessible or deleted by administrators.

(A) That those employees who do not consent to MDM software cannot have an email account:

While organizations may require MDM for security, they should offer alternative access methods (e.g., web-based email) to avoid strict enforcement that could impact employee productivity.

Denying access entirely may violate employment agreements or privacy laws in certain jurisdictions.

(B) That personal data on the device cannot be accessed and deleted by system administrators (Correct Answer):

The organization should ensure that MDM software does not intrude on personal data such as photos, messages, and private applications.

Best practice is to configure MDM to only manage corporate data and applications, ensuring that personal files remain untouched.

This aligns with privacy laws such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

(C) That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them:

Ethical and legal standards require transparency when monitoring employees.

Covert monitoring is generally illegal under privacy laws like GDPR and the U.S. Electronic Communications Privacy Act (ECPA).

(D) That employee consent includes appropriate waivers regarding potential breaches to their privacy:

While obtaining consent is important, organizations cannot force employees to waive their legal privacy rights.

Consent alone does not justify unrestricted access to personal data.

IIA GTAG 17: Auditing IT Security – Recommends safeguarding personal and corporate data in BYOD (Bring Your Own Device) policies.

COBIT Framework – DSS05 (Manage Security Services) – Advises organizations to define policies that protect corporate assets without violating employee privacy.

ISO/IEC 27001: Information Security Management System – Requires organizations to implement security controls without infringing on employee rights.

Analysis of Each Option:IIA References:Conclusion:Since personal data privacy must be preserved, option (B) is the correct answer.