An IS auditor is reviewing the upgrading of an operating system.
Which of the following would be the GREATEST audit concern?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The GREATEST audit concern in reviewing the upgrading of an operating system is likely to be the lack of change control, which is option B.
Explanation: Upgrading an operating system involves changing the system's software or hardware components to a newer version, which could potentially introduce new vulnerabilities and risks to the system. Therefore, it is essential to ensure that the upgrade process is properly managed, documented, and controlled to minimize any adverse impacts on the organization's IT environment.
Change control is a critical aspect of the upgrade process, which involves following established procedures for requesting, evaluating, approving, testing, implementing, and monitoring changes to the IT environment. It ensures that changes are properly authorized, tested, and documented, and that they do not adversely affect the system's security, availability, or integrity.
The lack of change control could lead to unapproved or unauthorized changes to the system, which could introduce new vulnerabilities, errors, or inconsistencies that may lead to security breaches or system failures. Without proper change control, it would be difficult to trace and correct errors or identify the responsible parties in case of incidents or audit inquiries.
While the other options, lack of release notes, malware protection, and activity logging, are also important aspects of system security, they are less critical than change control in the context of an operating system upgrade.
Lack of release notes could hinder the auditor's understanding of the changes made to the operating system and the potential impacts on the system's security.
Lack of malware protection could expose the system to security threats from malicious software, but this concern would be present regardless of whether the operating system is upgraded or not.
Lack of activity logging could make it difficult to detect and investigate security incidents or audit inquiries, but this concern would also be present regardless of the operating system upgrade.