CISSP · Question #1347
The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the
The correct answer is D. The audit team lacked the technical experience and training to make insightful and objective. The most likely reason for the disparity in the results of the audit and the external penetration test is that the audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them. The Sales Director, who conducted
Question
Options
- AThe external penetration testing company used custom zero-day attacks that could not have been
- BThe information technology (IT) and governance teams have failed to disclose relevant
- CThe scope of the penetration test exercise and the internal audit were significantly different.
- DThe audit team lacked the technical experience and training to make insightful and objective
How the community answered
(30 responses)- A10% (3)
- B27% (8)
- C7% (2)
- D57% (17)
Explanation
The most likely reason for the disparity in the results of the audit and the external penetration test is that the audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them. The Sales Director, who conducted the audit, may not have the necessary skills, knowledge, or tools to identify and evaluate the security issues and gaps in the company's information security posture. The audit team may have relied on the information provided by the IT and governance teams, without verifying or testing its accuracy or completeness. The audit team may have also been influenced by the bias or pressure from the CEO or other stakeholders, who wanted to show a positive image of the company's security.
Topics
Community Discussion
No community discussion yet for this question.