Learn how to handle policy noncompliance for legacy applications that are soon to be decommissioned in this CISA exam question and answer.
Table of Contents
Question
An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy.
What is the BEST way for the auditor to address this issue?
A. Inform the IT director of the policy noncompliance.
B. Verify management has approved a policy exception to accept the risk.
C. Recommend the application be patched to meet requirements.
D. Take no action since the application will be decommissioned in three months.
Answer
B. Verify management has approved a policy exception to accept the risk.
Explanation
A policy exception is a formal authorization to deviate from a policy for a specific situation or period of time. It is usually granted by the management or the policy owner after assessing the risk and the business impact of the deviation. In this case, the IS auditor should verify that management has approved a policy exception for the legacy application that cannot meet the security requirements, and that the exception is documented and monitored. This way, the auditor can ensure that the risk is accepted by the appropriate authority and that the deviation is temporary and controlled.
Answer A is incorrect because informing the IT director of the policy noncompliance is not enough to address the issue. The IT director may or may not be the policy owner or the risk owner, and may not have the authority to grant a policy exception or take corrective actions. The IS auditor should verify that the policy exception is approved by the management or the policy owner, not just the IT director.
Answer C is incorrect because recommending the application be patched to meet requirements may not be feasible or cost-effective for a legacy application that will be decommissioned in three months. Patching the application may also introduce new risks or issues that may affect the business operations or the decommissioning process. The IS auditor should consider the cost-benefit analysis and the risk appetite of the organization before recommending any corrective actions.
Answer D is incorrect because taking no action since the application will be decommissioned in three months is not a good practice for the IS auditor. The application may still pose a significant risk to the organization during the three-month period, and the auditor should not ignore or overlook the policy noncompliance. The IS auditor should verify that the risk is formally accepted and documented by the management or the policy owner, and that the policy exception is monitored and reviewed until the application is decommissioned.
Reference
Isaca Certified Information Systems Auditor CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Systems Auditor CISA exam and earn Isaca Certified Information Systems Auditor CISA certification.