Based on the information provided, which of the following situations presents the GREATEST
information security risk for an organization with multiple, but small, domestic processing
locations?
A.
Systems operation procedures are not enforced
B.
Change management procedures are poor
C.
Systems development is outsourced
D.
Systems capacity management is not performed
Explanation:
The lack of change management is a severe omission and will greatly increase information
security risk. Since procedures are generally nonauthoritative, their lack of enforcement is not a
primary concern. Systems that are developed by third-party vendors are becoming commonplace
and do not represent an increase in security risk as much as poor change management. Poor
capacity management may not necessarily represent a security risk.