An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
A.
Ensure the intrusion prevention system (IPS) is effective.
B.
Verify the disaster recovery plan (DRP) has been tested.
C.
Assess the security risks to the business.
D.
Confirm the incident response team understands the issue.
C. Assess the security risks to the business.
When an IS audit reveals that an organization is not proactively addressing known vulnerabilities, the IS auditor should recommend that the organization assess the security risks to the business (Option C) as the first step. Understanding the potential impact of vulnerabilities on the organization's operations, data, and overall security posture is crucial. This assessment will help prioritize vulnerability remediation efforts, allocate resources effectively, and ensure that vulnerabilities are addressed in a risk-informed manner.
C, Assessing the security risks to the business is the crucial first step because it helps identify and prioritize vulnerabilities based on their potential impact and likelihood of exploitation.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CISA Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
5b56aae
8 months, 3 weeks agolsiau76
1 year, 4 months agoChangwha
1 year, 6 months ago