CISA Certified Information Systems Auditor – Question2107

Which of the following should an IS auditor recommend be done FIRST upon learning that new data protection legislation may affect the organization?

A.
Implement data protection best practices
B. Implement a new security baseline for achieving compliance
C. Restrict system access for noncompliant business processes
D. Perform a gap analysis of data protection practices

Correct Answer: D