Prior to a new web-based order entry system being released into production an IT auditor is performing a review. During the review the IT auditor discovers that the existing configuration of the application may introduce sensitive data issues since it appears to be lacking critical controls for how to appropriately store customer credit card information. The initial action for the IT auditor to take is:

Verify that security requirements have been properly specified in the project plan.

Validate whether security controls are based on old requirements.

Determine if system administrators have disabled security controls to improve performance.

Assess whether system developers have proper training on adequate security measures.

Explanation

If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. While it is important for programmers to understand security, it is more important that the security requirements were properly stated in the project plan. System administrators may have made changes to the controls, but it is assumed that the auditor is reviewing the system as designedmeaning that the deployed system meets the requirements that were specified. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements.