Certified Information Systems Auditor (CISA) — Question 140

An organization recently decided to send the backup of its customer relationship management (CRM) system to its cloud provider for recovery. Which of the following should be of GREATEST concern to an IS auditor reviewing this process?

Answer options

• A. Testing of restore data has not been performed.
• B. Validation of backup data has not been performed.
• C. Backups are sent and stored in unencrypted format.
• D. The cloud provider is located in a different country.

Correct answer: C

Explanation

The greatest concern is that backups are sent and stored in unencrypted format, as this poses a significant security risk, exposing sensitive customer data to unauthorized access. While testing and validation are important, they do not present an immediate risk to data confidentiality like unencrypted backups do. The location of the cloud provider is also a factor, but it is less critical than the security of the data itself.