An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's
BEST course of action?
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's
BEST course of action?
When an IS auditor notes that not all security tests were completed for an online sales system recently promoted to production, the primary concern should be to assess the risk that this incomplete testing poses to the business. Determining the exposure to the business helps in understanding the potential impact of any security vulnerabilities and informs the decision-making process for any remedial actions. It provides a risk-based approach to address the issue effectively.
i think answer is A
Only A
Do you think answer should be A?
yes, I think so.
Me too :D
Why not increase security monitoring first? Given that the security tests have not completed, the business exposure level must be greater than zero.
Should be A
My thoughts - Option A makes sense if question is about "Next" course of action. Option B makes sense if question is about "Best" course of action.. Please correct if wrong..
While increasing monitoring for security incidents (option B) is important, it is more reactive than proactive and does not directly address the underlying issue of incomplete security testing. Determining exposure to the business provides a more comprehensive understanding of the potential risks and allows for targeted mitigation efforts. Therefore, it is the best course of action for the IS auditor in this scenario.
should be B, I guess.