Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
The greatest concern for an IS auditor should be whether the information security policy has been approved by the policy owner. This is crucial because the policy owner is typically the individual or group responsible for the oversight and implementation of the policy. Without the approval from the policy owner, the policy lacks official endorsement and authority, which undermines its effectiveness and enforceability. In comparison, mobile device provisions, frequency of review, and approval by the chief audit executive, while important, are less critical than having the policy formally sanctioned by its designated owner.
While the frequency of reviewing the information security policy (option B) is important for ensuring its relevance and alignment with evolving threats and organizational changes, it is secondary to the fundamental issue of having the policy approved by the appropriate authority (option D).
Answer D it's important for the IS auditor to ensure that the information security policy has been approved by the appropriate senior management authority, whoever that may be in the organization.
i woudl take C if this role indeed existed in org. policy owners equals to CAE