Which of the following findings should be an IS auditor's GREATEST concern when reviewing an organization's purchase of new IT infrastructure hardware?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
As an IS auditor, the greatest concern when reviewing an organization's purchase of new IT infrastructure hardware should be the finding that the new infrastructure arrived with default system settings (option A).
Default system settings are pre-configured settings provided by the manufacturer of the hardware, which are often intended for ease of use and convenience, rather than security. These settings may include default passwords, open ports, or services that are enabled by default, which could expose the infrastructure to security risks.
An attacker who is aware of the default system settings could exploit them to gain unauthorized access to the infrastructure and steal sensitive information, modify or delete data, or launch other attacks against the organization.
Therefore, it is important for the organization to review and adjust the default system settings before deploying the new infrastructure to ensure that it is configured securely and in compliance with the organization's security policies.
While the other options (B, C, and D) may also be a concern for an IS auditor, they are not as significant as the finding of default system settings.
Option B, residual risk within the organization's risk tolerance, suggests that there may still be some level of risk present in the infrastructure even after it has been reviewed and approved within the organization's risk management framework. This is a common issue in any risk management process, and it is up to the organization to determine whether the residual risk is acceptable or needs to be further mitigated.
Option C, stronger hardening requirements than required by policy, is not necessarily a negative finding. In fact, it may indicate that the organization has taken extra steps to secure the infrastructure beyond what is mandated by its security policy. However, it is still important for the organization to ensure that the infrastructure is configured in compliance with its policies and standards.
Option D, compatibility issues with existing systems, is also a concern but it is not as significant as default system settings. Compatibility issues may cause operational disruptions, but they are less likely to result in a security breach than the presence of default system settings.