Certified Information Systems Auditor (CISA) — Question 384

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Answer options

• A. use a proxy server to filter out Internet sites that should not be accessed.
• B. keep a manual log of Internet access.
• C. include a statement in its security policy about Internet use.
• D. monitor remote access activities.

Correct answer: C

Explanation

The correct answer is C because establishing a clear security policy about Internet use sets the foundation for all other security measures. Without a policy, options like monitoring access or using a proxy may not be effective as users might not be aware of the rules. The other options are important but should be implemented after the policy is in place.