Which of the following should the IS auditor recommend the organization do FIRST?

CISA V2 0 Comments

An IS audit reveals that an organization is not proactively addressing known vulnerabilities.

Which of the following should the IS auditor recommend the organization do FIRST?
A . Verify the disaster recovery plan (DRP) has been tested.
B . Ensure the intrusion prevention system (IPS) is effective.
C . Assess the security risks to the business.
D . Confirm the incident response team understands the issue.

Answer: C

Explanation:

If an IS audit reveals that an organization is not proactively addressing known vulnerabilities, the IS auditor should recommend that the organization assess the security risks to the business first, as this would help to prioritize the vulnerabilities based on their impact and likelihood, and determine the appropriate mitigation strategies. Verifying the disaster recovery plan (DRP) has been tested, ensuring the intrusion prevention system (IPS) is effective, and confirming the incident response team understands the issue are important steps, but they are not as urgent as assessing the security risks to the business.

References: CISA Review Manual (Digital Version), Chapter 5, Section 5.6

Latest CISA Dumps Valid Version with 2694 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download CISA PDF     CISA Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments