Certified Information Systems Security Professional (CISSP) — Question 10

The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes that the company's policies and procedures are sufficient, robust and well established. The CEO then moves on to engage an external penetration testing company in order to showcase the organization's robust information security stance. This exercise reveals significant failings in several critical security controls and shows that the incident response processes remain undocumented. What is the MOST likely reason for this disparity in the results of the audit and the external penetration test?

Answer options

• A. The audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them.
• B. The scope of the penetration test exercise and the internal audit were significantly different.
• C. The external penetration testing company used custom zero-day attacks that could not have been predicted.
• D. The information technology (IT) and governance teams have failed to disclose relevant information to the internal audit team leading to an incomplete assessment being formulated.

Correct answer: A

Explanation

The correct answer is A because the Sales Director, who conducted the internal audit, may not possess the necessary technical expertise to evaluate the information security measures adequately, leading to an overly optimistic assessment. The other options either suggest discrepancies in scope, unpredicted attacks, or information withholding, which do not directly address the audit team's capability to provide an objective evaluation.