Certified Information Systems Auditor (CISA) — Question 1094

An IS auditor learns that a business owner violated the organization's security policy by creating a web page with access to production data. The auditor's NEXT step should be to:

Answer options

• A. escalate to senior management.
• B. assess the sensitivity of the production data.
• C. determine if sufficient access controls exist.
• D. shut down the web page.

Correct answer: B

Explanation

The correct answer is B because assessing the sensitivity of production data is crucial to understand the potential impact of the breach. Escalating to senior management (A) and shutting down the web page (D) may be necessary later, but first, understanding the data's sensitivity is essential. Checking access controls (C) is also important, but it comes after assessing the data's sensitivity.