An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?
An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?
An IS auditor observing exceptions in information security policies should confirm that these exceptions are approved for predefined periods. This ensures that each exception is periodically reviewed and re-evaluated to determine if it is still necessary and whether the associated risks are still acceptable. This process also helps in maintaining the overall security posture by limiting the duration of potential vulnerabilities.
Exceptions are breaches in the internal controls , and residual risks are not mitigated by the internal controls as they still remain after the controls so exceptions will not wok for them A is the answer
Confirming that exceptions to the information security policy do not change the residual risk is crucial. Residual risk refers to the level of risk that remains after controls have been implemented or exceptions have been granted.
A is correct.
It has to be approved by Higher top managment
B. Exceptions are approved for predefined periods.