Information security best practice: Of the following procedures intended to maximize security, which is the most important and foundational control?

Introduction / Context:
Security controls are layered, but the foundation is controlling who has physical and privileged access to systems. The question asks you to identify the most critical practice among several measures, focusing on risk reduction against insider threats and supply chain exposure.

Given Data / Assumptions:

• Third-party installers or service personnel may request privileged or physical access.
• “Bonded” implies the provider is insured and has undergone vetting.
• A single unvetted technician can bypass many technical controls.

Concept / Approach:
Apply the principle of least privilege and vendor risk management. Physical access equals total access: once an attacker touches the hardware, software controls can often be subverted. Therefore, strict personnel vetting and access control outrank ancillary practices in baseline importance.

Step-by-Step Solution:

Verification / Alternative check:
Security frameworks emphasize personnel screening and access control (e.g., background checks, sign-in/out, supervision). These reduce the blast radius of insider compromise more than documentation storage practices or ad-hoc tests.

Why Other Options Are Wrong:

• do not leave training manuals unsecured: good practice but low-impact compared with privileged access control.
• run regular simulated tests using TARP: unclear method; testing alone cannot offset poor access controls.
• Verify the reputation of the people installing your system: helpful but weaker than formal bonding/contractual assurances.
• None of the above: incorrect because one option addresses the core risk directly.

Common Pitfalls:
Overvaluing paperwork or reputational checks while underestimating the necessity of enforceable, audited access control and vendor management.

Final Answer:
do not allow unbonded service people to work on your equipment