Question

Assuming that a high degree of security is needed, which of the following potential sources of information will also be relevant to the internal auditor's assessment of whether the governmental unit is being charged for computer security that exceeds the entity's needs?

1 Comparison of the security system with best practices implemented for similar systems
2 Comparison of the security system with recent publications on state-of-the-art systems
3 Tests of the functionality of the security system

A. 1 and 2 only.
B. 2 only.
C. 3 only.
D. 1, 2, and 3.

Answer 1

To assess whether the governmental unit is charged for computer security that exceeds its needs, a combination of comparison with best practices, recent publications on state-of-the-art systems, and tests of the system's functionality are relevant, making the correct answer D. 1, 2, and 3.

Step-by-step explanation:

The student is asking about assessing whether a governmental unit's investment in computer security is excessive compared to its needs. To conduct a comprehensive assessment, one should utilize multiple sources of information and analysis.

Comparing the security system with best practices implemented for similar systems is a fundamental step, as it provides context on whether the systems in place are reasonable or if there's an overshoot regarding those in similar circumstances.

Reviewing recent publications on state-of-the-art systems is equally crucial to understand if the government unit has invested more in cutting-edge technology that may not be necessary for its operations, which could indicate an over-expenditure on security.

Finally, performing tests of the functionality of the security system is essential to know if the security measures are operating effectively or if they are, indeed, overkill for the threat landscape faced by the entity.

The correct answer to the student's question is, therefore, D. 1, 2, and 3.