Certified Information Systems Auditor (CISA) — Question 680

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Answer options

• A. Disclose the findings to senior management.
• B. Identify existing mitigating controls.
• C. Attempt to exploit the weakness.
• D. Assist in drafting corrective actions.

Correct answer: B

Explanation

The correct next step for the IS auditor is to identify existing mitigating controls (Option B) to assess how the vulnerability is currently being managed. Disclosing findings to management (Option A) could be premature without understanding the context of the existing controls. Attempting to exploit the weakness (Option C) is unethical and could lead to further security issues, while assisting in drafting corrective actions (Option D) may be premature without first evaluating the current controls.