An IS audit had identified that default passwords for a newly implemented application were not changed.
During the follow-up audit, which of the following would provide the BEST evidence that the finding was effectively addressed?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The best evidence that the finding of default passwords for a newly implemented application being not changed has been effectively addressed depends on the degree to which it shows that the identified problem has been resolved. Each of the options provided in the answers can provide evidence to support that the finding has been effectively addressed, but the degree of evidence they provide differs.
A. Written confirmation from management that the passwords were changed: This option may provide some evidence that passwords were changed, but it doesn't provide any assurance that all default passwords have been changed. Additionally, written confirmation from management alone may not be sufficient evidence, as it could be falsified.
B. Screenshots of system parameters requiring password changes on next login: This option provides more evidence than option A, as it shows that the system parameters requiring password changes were configured. However, it still does not provide assurance that all default passwords have been changed.
C. Application log files that record the password changes: This option provides even more evidence than option B, as it shows that the passwords were actually changed and records who changed them. This provides evidence that all default passwords were changed, rather than just showing that the system was set up to require password changes.
D. System-generated emails requiring application users to change passwords: This option provides the most direct evidence that default passwords have been changed, as it shows that users were required to change their passwords. However, it does not provide evidence that all default passwords were changed, as there may be some accounts that were not in use or had not logged in to receive the email.
In summary, the best evidence that the finding was effectively addressed is option C - application log files that record the password changes. This provides evidence that all default passwords have been changed and records who changed them, which is the most direct evidence that the issue has been resolved.