Certified Information Systems Security Professional (CISSP) — Question 216

An organization is the victim of a major data breach just one month after passing an external cyber security audit. Which of the following is the likely reason for this situation?

Answer options

• A. Both the auditor and the organization validated the controls to be accurate.
• B. The organization had the minimum level of controls in place to pass the audit.
• C. The auditor performed an in-depth analysis of the required controls.
• D. The audit was initiated by appropriate levels of management in the organization.

Correct answer: B

Explanation

The correct answer is B because having only the minimum controls in place can lead to vulnerabilities that are exploited after the audit. Options A and C imply a higher level of validation and scrutiny than what actually took place, while D does not address the adequacy of the security controls themselves.