During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them.
What is the BEST way for the auditor to address this situation?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The BEST way for the IS auditor to address the situation would be to recommend that management enhance the policy and improve threat awareness training (Option C). Here's why:
Closing alerts without resolution is not an effective way to manage network threats, and it is not in line with industry best practices. It indicates a lack of maturity in the organization's incident response process and could lead to a major security incident going undetected.
The reason given by management for closing unactioned alerts - lack of actionable intelligence - may be valid in some cases. However, it should not be used as a blanket justification for closing all alerts without investigation. The IS auditor needs to evaluate whether the support team is following a documented process for handling alerts and whether there are gaps in that process that are causing alerts to be closed prematurely.
If the IS auditor finds that alerts are being mishandled, they should recommend further review of closed unactioned alerts to identify the root cause of the problem (Option A). However, this should only be done after verifying that the support team is following an established process and that the alerts being closed are truly unactionable.
If the IS auditor finds that the policy allows for alerts to be closed without resolution, they should not omit the finding from the report (Option B). Instead, they should highlight the gap in the organization's incident response process and recommend improvements.
The best course of action for the IS auditor is to recommend that management enhance the policy and improve threat awareness training (Option C). This will help the organization improve its incident response process and ensure that all alerts are investigated thoroughly. The IS auditor should provide specific recommendations on how to improve the policy, such as providing guidelines on when an alert can be closed, and how to improve threat awareness training, such as providing training on identifying and investigating potential threats.
Reopening unactioned alerts and reporting to the audit committee (Option D) should only be considered if the IS auditor finds evidence of a serious security incident that was not properly investigated due to the organization's flawed incident response process. However, this should be a last resort, as it could damage the organization's reputation and cause panic among stakeholders.