An organization's data retention policy states that all data will be backed up, retained for 10 years, and then destroyed.
When conducting an audit of the long-term offsite backup program, an IS auditor should:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer is B. Verify that there is a process to ensure readability and restore capability.
Explanation:
The given scenario mentions an organization's data retention policy that requires data to be backed up and retained for 10 years before being destroyed. It is important to ensure that the long-term offsite backup program is working effectively to meet this policy requirement. As an IS auditor, the primary objective would be to assess the adequacy and effectiveness of the backup program to ensure that it is reliable and can restore data when required.
Option A, which suggests verifying that business owners review data before it is destroyed, is not the primary concern of an IS auditor when evaluating a backup program. This task may be the responsibility of the data owners, who may need to verify the data for accuracy and completeness before it is deleted. However, the IS auditor's responsibility is to verify the effectiveness of the backup program and the data recovery process.
Option C, which mentions confirming business interruption insurance coverage, is also not directly related to the audit of the backup program. Although having business interruption insurance coverage is important, it is not the primary focus of an audit of the backup program.
Option D, which suggests reviewing data classification schemes for appropriate security levels, is also not directly related to the audit of the backup program. While data classification is an important aspect of information security, it is not directly related to the evaluation of the backup program's effectiveness.
Therefore, option B, which suggests verifying that there is a process to ensure readability and restore capability, is the most appropriate answer. This task involves assessing the backup program's ability to restore data in a readable format and ensuring that there is a process to verify data readability periodically. The auditor should also verify that the backup program's restore capability is tested periodically and that any issues with data restoration are identified and resolved promptly.