The CIO of an organization is concerned that the information security policies may not be comprehensive. Which of the following should an IS auditor recommend be performed FIRST?
A. Obtain a copy of their competitor’s policies.
B. Determine if there is a process to handle exceptions to the policies.
C. Establish a governance board to track compliance with the policies.
D. Compare the policies against an industry framework.
A. Obtain a copy of their competitor’s policies.
B. Determine if there is a process to handle exceptions to the policies.
C. Establish a governance board to track compliance with the policies.
D. Compare the policies against an industry framework.