Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Security policy documents being available on a public domain website should be the greatest concern when reviewing an organization's security controls for policy compliance. This exposure represents a significant security risk, as it can provide potential attackers with insights into the organization’s security measures, making it easier for them to find and exploit vulnerabilities. Ensuring that such sensitive documents are protected and only accessible to authorized personnel is crucial for maintaining the integrity and confidentiality of the organization’s security posture.
A. Security policies are not applicable across all business units.
No having security policy in some business units is a great concern. Security policies do not necessarily have to be reviewed on a yearly basis.
may be D
Answer: C A potential failure in the organization's governance process by not regularly reviewing and updating security policies. This lack of review could result in outdated policies that no longer address current threats or compliance requirements, leading to gaps in security and increased risk exposure Option A: It's more of a structural issue that needs to be addressed in the long term. option D: might not have an immediate impact on policy compliance if the policies themselves are up to date and effectively implemented.
A is a greater concern than C