An organization recently decided to send the backup of its customer relationship management (CRM) system to its cloud provider for recovery.
Which of the following should be of GREATEST concern to an IS auditor reviewing this process?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
As an IS auditor, the primary concern should be to ensure that the backup and recovery process is reliable, secure, and compliant with the organization's policies and regulatory requirements. Among the given options, the GREATEST concern would be:
A. Backups are sent and stored in unencrypted format.
Encrypting backups is essential to ensure that the data remains confidential, especially when it is transmitted or stored in an external environment such as a cloud service provider. Without encryption, the data may be exposed to unauthorized access or theft during transmission or storage. Additionally, lack of encryption may violate regulatory requirements or organization's security policies. Therefore, an IS auditor must ensure that backups are encrypted using strong encryption algorithms, and the encryption keys are securely managed.
B. Validation of backup data has not been performed.
Validation of backup data refers to the process of verifying the integrity, completeness, and accuracy of the backup data before sending it to the cloud provider. Validation is necessary to ensure that the backup data is not corrupt, missing, or inconsistent, which may result in a failed restore or data loss. However, while important, it is not the GREATEST concern as the validation process can be performed before sending the backup to the cloud provider.
C. The cloud provider is located in a different country.
The location of the cloud provider is also an important consideration as it may impact the organization's data privacy, security, and legal compliance. The IS auditor should ensure that the cloud provider is compliant with the relevant data protection and privacy regulations, such as GDPR or CCPA, and that the data is not subject to unauthorized access or disclosure. However, while a valid concern, it is not the GREATEST concern as the cloud provider's location can be assessed and addressed through a thorough due diligence process.
D. Testing of restore data has not been performed.
Testing of restore data refers to the process of verifying that the backup data can be successfully restored from the cloud provider's storage to the organization's systems. Testing is necessary to ensure that the recovery process is reliable and that the data can be restored within the organization's recovery time objective (RTO). However, while essential, it is not the GREATEST concern as testing can be performed after the backup is sent to the cloud provider.
In conclusion, the GREATEST concern for an IS auditor reviewing the backup and recovery process of an organization's CRM system sent to a cloud provider for recovery is that the backups are sent and stored in an unencrypted format.