CompTIA Security Plus Mock Test Q723

An internal audit has detected that a number of archived tapes are missing from secured storage. There was no recent need for restoration of data from the missing tapes. The location is monitored by access control and CCTV systems. Review of the CCTV system indicates that it has not been recording for three months. The access control system shows numerous valid entries into the storage location during that time. The last audit was six months ago and the tapes were accounted for at that time. Which of the following could have aided the investigation?

A. Testing controls
B. Risk assessment
C. Signed AUP
D. Routine audits

Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Testing controls come in three types: Technical, Management and Operational.
In this question, the CCTV system has not been recording for three months and no one noticed. Improved testing controls (regular testing to verify the CCTV system is recording)
would ensure that the CCTV is recording as expected.
The CCTV recordings could have aided the investigation into the missing tapes.

Incorrect Answers:
B: A risk assessment might have calculated the chance or risk of the CCTV system not recording or the risk of the tapes going missing. However, the risk assessment itself would not
do anything to ensure that the CCTV system is checked regularly or prevent the tapes from going missing.
C: A signed AUP (Acceptable Use Policy) would do nothing to prevent the loss of the tapes or CCTV system recording failure.
D: Routine audits might have shown sooner that the tapes are missing but they would not help discover what happened to the tapes.