If an IS auditor finds that some hard drives were not sanitized before disposal, what should be the auditor's first step?

The first step the IS auditor should take upon discovering that some hard drives were not sanitized before disposal is to determine the sensitivity of the information on those drives. Understanding the nature of the data is critical because it helps the auditor assess the potential impact on the organization if sensitive information is exposed due to improper disposal.

Sensitive information can include personally identifiable information (PII), financial data, or intellectual property, and if such information is compromised, it can lead to significant legal, financial, and reputational damage to the organization. By categorizing the sensitivity of the data on the hard drives, the auditor can prioritize their findings and recommendations based on potential risks and ensure that appropriate measures are taken to mitigate any threats to data confidentiality and integrity.

Once the sensitivity is determined, the auditor can then effectively address the issue through appropriate channels, such as drafting an audit finding or discussing best practices with management, but the foundational step is understanding the implications of the data left unprotected.