Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization's information security policy?
Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization's information security policy?
The best way for an IS auditor to validate that employees have been made aware of the organization's information security policy is to interview employees to determine their level of understanding of the policy. This approach directly assesses employees' awareness and comprehension of the policy, which is crucial for ensuring that they have actually been informed and understand the policy. Simply comparing an employee roster against a list of those who attended security training does not confirm that employees have internalized the information or understood it.
should be A
i think B is correct. To "validate" that employees have been made aware, the most objective and straightforward way would be B. A relies on individual employees' ability to recall and explain the policy. therefore it may not accurately reflect whether they were made aware of the policy, especially if some time has passed since they had been told about it.
It seems A is good answer, I guess...
absolutely A
I think is B. Because it says that "made aware". Is not saying that effectiviness of information security policies or how much they understand.
why interview hundreds of people while you have a list of people who attended the training? I say B is more logical.