Marouane>> No, remember as a CISSP, think that you are a risk advisor, you do not train nor deploy things b) Roll out a password policy
Marouane>> Yes - However, this is a tricky question, you would think that any organization has some sort of password policy in place (regardless if it is more strict or not). So, the idea is that to review the policy (if it exists) or roll out password policy changes to address the issue of weak passwords in this case.
c) Roll out a password guideline
Marouane>> Policy comes first, then think of guidelines and procedures come afterwards.If you see something wrong, you don't go directly to guidelines or start implementing procedures ...
d) Train employees on strong passwords
Marouane>> Did I say earlier that as a CISSP you do NOT train anyone?