Isaca Certified Information Systems Auditor CISA Question # 192 Topic 20 Discussion
CISA Exam Topic 20 Question 192 Discussion:
Question #: 192
Topic #: 20
An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
A.
Verify the disaster recovery plan (DRP) has been tested.
B.
Ensure the intrusion prevention system (IPS) is effective.
C.
Assess the security risks to the business.
D.
Confirm the incident response team understands the issue.
If an IS audit reveals that an organization is not proactively addressing known vulnerabilities, the IS auditor should recommend that the organization assess the security risks to the business first, as this would help to prioritize the vulnerabilities based on their impact and likelihood, and determine the appropriate mitigation strategies. Verifying the disaster recovery plan (DRP) has been tested, ensuring the intrusion prevention system (IPS) is effective, and confirming the incident response team understands the issue are important steps, but they are not as urgent as assessing the security risks to the business. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.6
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit