An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?
A.
Exceptions do not change residual risk.
B.
Exceptions are approved for predefined periods.
C.
Exceptions require changes to the policy.
D.
Exceptions are approved by the board of directors.
When exceptions to an information security policy are approved, it is critical that they are temporary and reviewed periodically to ensure they do not become permanent gaps in security controls. Approving exceptions for predefined periods allows the organization to re-evaluate and address the underlying causes of the exception, ensuring that risk is managed effectively over time.
Confirming that exceptions to the information security policy do not change the residual risk is crucial. Residual risk refers to the level of risk that remains after controls have been implemented or exceptions have been granted.
Exceptions are breaches in the internal controls , and residual risks are not mitigated by the internal controls as they still remain after the controls so exceptions will not wok for them A is the answer
B. Exceptions are approved for predefined periods.
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
1Naa
1 week, 6 days agoSwallows
1 month, 2 weeks ago3008
7 months, 1 week agomeelaan
9 months, 2 weeks agoJoloms
1 year agosaado9
1 year, 2 months ago