Certified Information Systems Security Professional (CISSP) — Question 54

An organization's internal audit team performed a security audit on the company's system and reported that the manufacturing application is rarely updated along with other issues categorized as minor. Six months later, an external audit team reviewed the same system with the same scope, but identified severe weaknesses in the manufacturing application's security controls. What is MOST likely to be the root cause of the internal audit team's failure in detecting these security issues?

Answer options

• A. Inadequate security patch testing
• B. Inadequate test coverage analysis
• C. Inadequate log reviews
• D. Inadequate change control procedures

Correct answer: B

Explanation

The correct answer is B, as inadequate test coverage analysis can lead to critical security vulnerabilities being overlooked during audits. The internal audit team may have focused on less significant issues, failing to thoroughly evaluate the application's security controls, unlike the external team that identified the severe weaknesses. The other options, while potentially relevant, do not directly explain the failure to detect significant security issues in the application.