After identifying potential security vulnerabilities, what should be the IS auditor’s next step?
A . To evaluate potential countermeasures and compensatory controls
B . To implement effective countermeasures and compensatory controls
C . To perform a business impact analysis of the threats that would exploit the vulnerabilities
D . To immediately advise senior management of the findings
Answer: C
Explanation:
After identifying potential security vulnerabilities, the IS auditor’s next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities.