An IS auditor has observed gaps in the data available to the organization for detecting incidents.
Which of the following would be the BEST recommendation to improve the organization's security incident response capability?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Given the scenario, an IS auditor has observed gaps in the data available to the organization for detecting incidents. This indicates that the organization's security incident response capability is lacking in terms of its ability to identify and respond to security incidents. To improve this capability, the IS auditor should recommend the following:
C. Correlate security logs collected from multiple sources.
Correlating security logs from multiple sources is the best recommendation to improve the organization's security incident response capability. This recommendation addresses the gap in data that the IS auditor has observed. Correlating logs involves combining and analyzing data from multiple sources to detect patterns and anomalies that may indicate a security incident. By correlating logs, the organization can detect incidents that might have otherwise gone unnoticed.
Option A (document procedures for incident escalation) and Option B (document procedures for incident classification) are important steps in incident response, but they do not address the specific gap in data that the IS auditor has observed. Documenting procedures is important to ensure that incident response is consistent and effective, but without sufficient data, those procedures may not be able to identify and respond to all incidents.
Option D (centralize alerts and security log information) is also a good recommendation, but it may not fully address the gap in data. Centralizing alerts and security log information can make it easier to identify incidents, but it does not necessarily provide additional data to detect incidents that were previously undetected. Correlating logs, on the other hand, can reveal patterns and anomalies that may not be apparent when logs are analyzed in isolation.
In conclusion, correlating security logs collected from multiple sources is the best recommendation to improve the organization's security incident response capability, as it directly addresses the observed gap in data and can reveal security incidents that may have been missed.