What is the most appropriate recommendation for an IS auditor discovering personal software installations on users' PCs, where the policy lacks explicit prohibition?

Updating the security policy to specify unauthorized software restrictions is the most appropriate recommendation in this scenario. By clearly defining what constitutes unauthorized software, the organization establishes a formal guideline that users must follow. This clarity helps to create an understanding of acceptable practices and reinforces compliance among employees.

When the policy explicitly states what software is permitted and what is not, it reduces ambiguity. Users may not be aware of the potential risks associated with personal software installations, which can lead to security vulnerabilities, data breaches, and compliance issues. An updated policy gives the organization the authority to enforce restrictions and provides a basis for action if users violate these guidelines.

Revising the policy is crucial, especially because the current policy lacks explicit prohibition. This proactive approach ensures that the organization can prevent future unauthorized software installations by having clear standards in place, thereby enhancing overall security posture.