Certified Information Systems Auditor (CISA) — Question 137

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Answer options

• A. Security incident policies are out of date.
• B. Lessons learned have not been properly documented.
• C. Vulnerabilities have not been properly addressed.
• D. Abuses by employees have not been reported.

Correct answer: C

Explanation

The primary concern is that without investigating root causes, vulnerabilities remain unaddressed, which can lead to repeated incidents. While documenting lessons learned and reporting employee abuses are important, they do not directly impact the organization's security posture as significantly as unresolved vulnerabilities do.