Certified Information Systems Auditor (CISA) — Question 134

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done
FIRST?

Answer options

• A. Implement additional firewalls to protect the system.
• B. Decommission the server.
• C. Implement a new system that can be patched.
• D. Evaluate the associated risk.

Correct answer: D

Explanation

The correct answer is to evaluate the associated risk, as this step helps the auditor understand the potential impact of the vulnerability before taking further action. Implementing additional firewalls, decommissioning the server, or introducing a new system may not address the underlying issue without first assessing the risk involved.