Certified Information Systems Auditor (CISA) — Question 1074

Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?

Answer options

• A. Patches for medium- and low-risk vulnerabilities are omitted.
• B. Patches are deployed from multiple deployment servers.
• C. There is no process in place to quarantine servers that have not been patched.
• D. There is no process in place to scan the network to identify missing patches.

Correct answer: D

Explanation

The absence of a network scanning process to identify missing patches is critical because it prevents the organization from recognizing vulnerabilities that need to be addressed. While omitting patches for medium- and low-risk vulnerabilities and deploying from multiple servers can be concerning, they do not pose as immediate a threat as the inability to detect unpatched systems. Quarantining unpatched servers is also important, but without scanning, the organization may not even know which servers require quarantine.