ExamTopics Logo
Mail Us[email protected]
Menu
Isc Discussions
exam questions

Exam CISSP All Questions

View all questions & answers for the CISSP exam
Go to Exam

Exam CISSP topic 1 question 262 discussion

Actual exam question from ISC's CISSP
Question #: 262
Topic #: 1
[All CISSP Questions]

The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes that the company's policies and procedures are sufficient, robust and well established. The CEO then moves on to engage an external penetration testing company in order to showcase the organization's robust information security stance. This exercise reveals significant failings in several critical security controls and shows that the incident response processes remain undocumented. What is the MOST likely reason for this disparity in the results of the audit and the external penetration test?

  • A. The audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them.
  • B. The scope of the penetration test exercise and the internal audit were significantly different.
  • C. The external penetration testing company used custom zero-day attacks that could not have been predicted.
  • D. The information technology (IT) and governance teams have failed to disclose relevant information to the internal audit team leading to an incomplete assessment being formulated.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Rollizo at Oct. 1, 2022, 10:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jamati
Highly Voted 2 years, 6 months ago
Selected Answer: A
A salesman has no business running InfoSec audits.
upvoted 8 times
deeden
9 months, 1 week ago
Well, we're short staffed so I asked Bob here to do the audit :)
upvoted 2 times
...
jackdryan
2 years ago
A is correct
upvoted 1 times
...
...
cysec_4_lyfe
Most Recent 2 months ago
Selected Answer: A
I believe A as a sales director would lack the technical experience and training to make insightful and objective assessments of the data provided to them. This would also contribute to the scopes being out of alignment and the IT/GRC teams failing to disclose relevant information.
upvoted 1 times
...
79cc092
9 months, 3 weeks ago
Selected Answer: A
Sales man go back to biz.
upvoted 1 times
...
79cc092
9 months, 3 weeks ago
Sales man lol!
upvoted 1 times
...
CCNPWILL
11 months, 2 weeks ago
Selected Answer: A
Answer is A ... Gimme question.
upvoted 1 times
...
xxxBadManxxx
1 year, 1 month ago
Selected Answer: B
The internal audit, conducted by the Sales Director, likely focused on assessing policies and procedures rather than conducting technical assessments or testing of critical security controls. Conversely, the external penetration test would have involved comprehensive technical testing, including attempts to exploit vulnerabilities and weaknesses in the system. This difference in scope could lead to varying results, with the external penetration test uncovering weaknesses that were not identified by the internal audit
upvoted 1 times
...
629f731
1 year, 4 months ago
Selected Answer: B
While technical expertise is crucial for certain assessments, the core reason for the disparity, given the context, seems to be the difference in scope and objectives between the internal audit and the external penetration test, making option B (The scope of the penetration test exercise and the internal audit were significantly different) the MOST likely reason.
upvoted 2 times
...
rajkamal0
2 years, 4 months ago
Selected Answer: A
A is the best answer.
upvoted 3 times
...
Proctored_Expert
2 years, 4 months ago
Selected Answer: D
D. The information technology (IT) and governance teams have failed to disclose relevant information to the internal audit team leading to an incomplete assessment being formulated.
upvoted 1 times
...
oudmaster
2 years, 4 months ago
B is not true, because the scope is the same as PenTest; "Information Security Posture".
upvoted 1 times
...
Rollizo
2 years, 7 months ago
Selected Answer: B
it could be really that the internal audit had a focus only in commercial matters
upvoted 2 times
CuteRabbit168
2 years, 7 months ago
It’s A. The Sales Director was assigned to conduct an information security audit.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago