An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center.
Which of the following findings should be of GREATEST concern to the auditor?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
As an IS auditor, it is important to review service level agreements (SLAs) to ensure that they are aligned with the organization's policies and objectives. In this scenario, the IS auditor is reviewing a bank's SLA with a third-party provider that hosts the bank's secondary data center. The auditor should be looking for any discrepancies or issues that could potentially impact the bank's ability to recover from a disaster or disruption.
Out of the four options provided, the finding that should be of greatest concern to the auditor is option A, where the recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan. The RPO is the maximum amount of data loss that an organization can tolerate, and it is usually defined in the disaster recovery plan. If the RPO in the SLA is shorter than what is documented in the disaster recovery plan, it means that the bank may not be able to recover all of its data if a disaster occurs.
For example, if the disaster recovery plan states that the RPO is four hours, but the SLA with the third-party provider has an RPO of two hours, it means that the bank may lose some data if a disaster occurs before the two-hour mark. This could result in financial losses or regulatory compliance issues, especially if the lost data includes critical information such as customer transactions or personal data.
Option B, where the recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan, is also a concern, but it is not as critical as option A. The RTO is the amount of time it takes for an organization to resume normal operations after a disaster or disruption. If the RTO in the SLA is longer than what is documented in the disaster recovery plan, it means that the bank may take longer to resume normal operations, which could result in financial losses or reputational damage.
Option C, where backup data is hosted online only, is also a concern, but it is not as critical as options A and B. Hosting backup data online only increases the risk of data breaches, as the data could be accessed by unauthorized individuals. However, if the bank has implemented appropriate security controls to protect the online backup data, the risk could be mitigated.
Option D, where the SLA has not been reviewed in more than a year, is also a concern, but it is not as critical as options A and B. It is important for SLAs to be reviewed regularly to ensure that they are still relevant and aligned with the organization's objectives. However, the fact that the SLA has not been reviewed in more than a year does not necessarily mean that there are issues with the SLA.