A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?
A.
Document the reasons for the exception.
B.
Include the application in IT risk assessments.
C.
Propose that the application be transferred to IT.
went looking for guidance from ISACA, found this: https://www.isaca.org/about-us/newsroom/press-releases/2017/isaca-shares-eight-controls-to-help-manage-shadow-it-and-optimize-its-benefits
IT department as a service-delivery organization kind of leans towards C.
Its not A as this occurrence is quite popular so its not an exception. I am guessing either B or C. and will voce for C as in the IT the application will be subject to enterprise security assessment.
If it is not under IT's management, the risk assessment may not have any benefit to the company / no authority to change things for the better? Just guessing here.
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cyberbugnx
3 months, 3 weeks agoPassmi
1 year, 9 months agomynk29
1 year, 9 months agoCbtL
1 year, 10 months agoKoulyo
1 year, 11 months agojohn_boogieman
2 years, 1 month agoJco
2 years, 3 months agoCbtL
1 year, 10 months ago