An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following would be the
MOST appropriate action for the auditor to take?
An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following would be the
MOST appropriate action for the auditor to take?
When faced with a critical security issue reported by an employee, the most appropriate action for the IS auditor is to immediately conduct a review of the application. This approach allows the auditor to verify the severity and validity of the reported issue directly. If the issue is indeed critical, it would need prompt attention and resolution to mitigate any potential security risks. Other options like discussing with audit management or additional end users could delay the necessary immediate action required when a critical security threat is present.
Correct answer should be A. You can not "start a review" immediately based one users feedback.
The word "immediately" is pretty strong, but there is nothing forbidding to conduct a review of the application. Having say that, my review would probably start by gathering feedback from other end-users. I love the way ISACA phrase their questions ...
C. Immediately conduct a review of the application.
Instead of making a decision based on a complaint from one user, it is better to verify if other users are also experiencing the same issue. D makes sense
Why it isn't C? is it because the auditor might have other commitments? Wouldn't checking with more end users make more people to be aware of the security risk which may be exploited by any disgruntled employee?
A conversation with your audit manager can help you clarify next steps to determine appropriate investigations and responses, and assess the severity of the issue. This approach is also important for formally recording the issue and engaging with other parties as needed.
When an individual user approaches an auditor, their response should always be coordinated with their audit management. Therefore A. It happens again and again that individual users try to instrumentalize auditors for their own interests. For example, if a user would have preferred a different solution and feels ignored and now wants to take revenge for their choice. As a result of the coordination with the audit management, option B., C. or D. may well emerge as a follow-up action.
C. Immediately conduct a review of the application.