Exam CISA topic 1 question 64 discussion

An incomplete inventory hampers visibility and management. It can lead to unpatched devices, unauthorized access, and security blind spots. Remember that risk assessment considers both likelihood and impact. In this case, the incomplete inventory poses immediate operational and security risks.

D is the accurate answer. Without a complete inventory of the network in an enterprise, you won’t be able to assess the risk. This is the highest risk then the B comes

A. Network penetration tests are not performed – This poses the highest risk because penetration testing is a critical control for identifying exploitable vulnerabilities in a live network environment. Without it, the organization may be unaware of serious security flaws that could lead to unauthorized access, data breaches, or service disruption. This represents a direct threat to the organization's security posture. Comparisons: B. Firewall policy not approved by the information security officer – This is a governance/control issue, but it doesn't directly expose the network to threats like missing penetration tests do. C. Firewall rules not documented – This weakens change management and troubleshooting, but again, it is less risky than not actively testing for vulnerabilities. D. Incomplete network device inventory – Important for security and asset management, but this is a supporting control. The lack of penetration testing has a more immediate and severe impact on risk exposure.

D is more of an operational risk than a short-term/immediate security threat Most risk is the A

The network device inventory is incomplete. Is a shadow IT.

D. The network device inventory is incomplete is a concern, it is not as critical as the absence of penetration testing for the following reasons: A (No Network Penetration Tests): This is a direct security control failure, leaving the organization blind to vulnerabilities that attackers could exploit. Without penetration testing, serious issues like open ports, weak passwords, and unpatched systems may go undetected. Penetration testing actively validates the security posture, which is crucial for identifying real-world attack vectors. D (Incomplete Network Device Inventory): This is a secondary control failure, affecting asset management and risk visibility. While important, an inventory issue is less immediately exploitable than untested security vulnerabilities. Penetration testing can still uncover vulnerable devices, even if the inventory is incomplete.

The absence of a properly approved network firewall policy poses a significant risk because it indicates a lack of formal oversight, accountability, and governance. An unapproved policy may result in misconfigurations or improper firewall rules, which can compromise the entire security infrastructure, allowing potential attackers to exploit vulnerabilities and gain unauthorized access.

Answer: C While the other findings (network penetration tests not performed, firewall policy not approved by the information security officer, incomplete network device inventory) also represent potential risks to network security, the absence of documented firewall rules is particularly concerning due to its direct impact on the configuration and management of network security controls. Therefore, it should be ranked as the highest risk in the audit report.

I'd pick A

The highest risk of a security attack on an organization is failure to conduct penetration testing.

By not performing penetration tests, the organization is leaving itself blind to potential security weaknesses that could be exploited by malicious actors. This represents a significant risk to the confidentiality, integrity, and availability of sensitive data.

this is immediate risk

The perfect answer would have be B(approval by an info sec officer) but looking at the context of the question “fieldwork phase” has been completed, I think D would be a better option

B. The network firewall policy has not been approved by the information security officer. The fact that the network's firewall policy has not been approved by the information security officer indicates a lack of control and governance over the network's security settings. This can result in greater vulnerability to attacks and a greater likelihood of security breaches. The lack of approval of the firewall policy can indicate that the security rules have not been established properly and the established security standards are not being followed. This represents a significant risk to the integrity and confidentiality of network data. It is important to note that the risk classification may vary depending on the context and the specific circumstances of the audited organization. Therefore, it is recommended that the IS auditor perform a full evaluation of the findings and consider other relevant factors before finalizing the highest risk classification.

The approval of the network firewall policy by the information security officer is crucial for ensuring that the organization's network security measures align with established standards, guidelines, and best practices. Without the approval of the information security officer, there is a higher risk of inadequate or ineffective firewall configurations, which can leave the network vulnerable to unauthorized access and potential security breaches.

I think B is the right answer. what is the meaning of inventory of D?? firewall H/W, S/W

The answer is correct , the first is The network device inventory....without complete inventory we can't asses the risk