Certified Information Systems Auditor (CISA) — Question 1406

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Answer options

• A. Verify all patches have been applied to the software system's outdated version.
• B. Monitor network traffic attempting to reach the outdated software system.
• C. Close all unused ports on the outdated software system.
• D. Segregate the outdated software system from the main network.

Correct answer: D

Explanation

The best way to mitigate risks associated with an unsupported software version is to segregate it from the main network, as this limits exposure to potential threats. While verifying patches, monitoring traffic, and closing ports may help, they do not provide the same level of protection as complete isolation from the network.