An organization is developing a web portal using some external components.
Which of the following should be of MOST concern to an IS auditor?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
As an IS auditor, the most concerning issue for an organization developing a web portal using external components is the organization's failure to review the components for known exploits. Hence, option C is the correct answer.
Explanation:
A. Open-source components were integrated during development: Open-source components are often used in software development, and their integration is not necessarily a concern for an IS auditor. However, the auditor may need to assess whether the open-source components used are compatible with the organization's policies, license agreements, and security requirements.
B. Some of the developers are located in another country: The location of developers is not necessarily a concern for an IS auditor. However, if the developers are located in a country with a high risk of cyberattacks, the auditor may need to assess the security measures in place to protect the organization's data.
C. The organization has not reviewed the components for known exploits: The failure to review the components for known exploits is a significant risk for the organization. This means that the organization is not aware of the potential security vulnerabilities that the components may have. As a result, attackers can exploit these vulnerabilities to gain unauthorized access to the organization's data or systems.
D. Staff require additional training to perform code review: Staff requiring additional training is not necessarily a concern for an IS auditor. However, the auditor may need to assess whether the staff has the necessary skills and knowledge to perform code review effectively.
In summary, while the other options may be relevant to an IS auditor, the most concerning issue for an organization developing a web portal using external components is the failure to review the components for known exploits. The auditor should recommend that the organization review the components for security vulnerabilities and implement appropriate controls to mitigate the risks identified.