Isaca Certified Information Systems Auditor CISA Question # 328 Topic 33 Discussion
CISA Exam Topic 33 Question 328 Discussion:
Question #: 328
Topic #: 33
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''
A.
Steps taken to address identified vulnerabilities are not formally documented
B.
Results are not reported to individuals with authority to ensure resolution
C.
Scans are performed less frequently than required by the organization's vulnerability scanning schedule
The finding that should be of greatest concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program is that results are not reported to individuals with authority to ensure resolution. This indicates a lack of accountability and communication for vulnerability management, which may result in unresolved or delayed remediation of identified vulnerabilities. This may expose the organization to increased risk of cyberattacks or breaches. The other findings are also concerning, but not as much as this one, because they may affect the completeness, accuracy or timeliness of the vulnerability scanning process, but not necessarily its effectiveness. References:
ISACA, COBIT 2019 Framework: Introduction and Methodology, section 3.2
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit