Certified Information Systems Auditor (CISA) — Question 1329

An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

Answer options

• A. Violation of industry standards
• B. Lack of data for measuring compliance
• C. Noncompliance with documentation requirements
• D. Lack of user accountability

Correct answer: D

Explanation

The correct answer is D because without formal acknowledgment of the policy, users may not feel accountable for their actions, which can lead to violations. Options A, B, and C, while important, do not directly address the issue of personal responsibility and the potential for misuse of resources without consequences.