An internal audit has detected that a number of archived tapes are missing from secured storage. There
was no recent need for restoration of data from the missing tapes. The location is monitored by access
control and CCTV systems. Review of the CCTV system indicates that it has not been recording for three
months. The access control system shows numerous valid entries into the storage location during that
time. The last audit was six months ago and the tapes were accounted for at that time. Which of the
following could have aided the investigation?

A.
Testing controls

B.
Risk assessment

C.
Signed AUP

D.
Routine audits

Explanation:
Testing controls come in three types: Technical, Management and Operational.
In this question, the CCTV system has not been recording for three months and no one noticed. Improved
testing controls (regular testing to verify the CCTV system is recording) would ensure that the CCTV is
recording as expected.
The CCTV recordings could have aided the investigation into the missing tapes.
Incorrect Answers:
B: A risk assessment might have calculated the chance or risk of the CCTV system not recording or the risk
of the tapes going missing. However, the risk assessment itself would not do anything to ensure that the
CCTV system is checked regularly or prevent the tapes from going missing.
C: A signed AUP (Acceptable Use Policy) would do nothing to prevent the loss of the tapes or CCTV system
recording failure.
D: Routine audits might have shown sooner that the tapes are missing but they would not help discover
what happened to the tapes.