An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST:
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST:
When an IS auditor discovers a high-risk vulnerability in a public-facing web server used to process online customer payments, the first step should be to identify compensating controls. This involves assessing whether there are existing security measures that mitigate the risk posed by the vulnerability. Once the auditor has a clear understanding of the existing controls and the actual level of risk, they can then inform the appropriate personnel or committee and take further appropriate actions, such as documentation and reviewing incident reports.
C is more appropriate for the fist thing to do as IS auditor
Could the answer be C as auditor can find compensating controls before notifying audit committee?
C i think
A is the correct answer,By notifying the appropriate personnel, they can take immediate action to remediate the vulnerability and prevent any potential damage to the organization and its customers. Once the vulnerability has been addressed, the auditor can then review security incident reports (option B) and identify compensating controls (option C) as part of the audit process. Documenting the exception in an audit report (option D) would be appropriate after the vulnerability has been addressed and the audit is complete
answer is C
I also think its C. As an auditor we would identify the compensating controls, if any, before notifying the audit committee.
C is more appropriate
A is answer
Notifying the audit committee (option A) is important, but it is typically done after the immediate risk mitigation steps have been taken. The audit committee may need to be informed about the vulnerability, its impact, and the actions taken or planned to address it.