Certified Information Systems Auditor (CISA) — Question 1417
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?
Answer options
- A. Report the security posture of the organization.
- B. Determine the risk of not replacing the firewall.
- C. Report the mitigating controls.
- D. Determine the value of the firewall.
Correct answer: B
Explanation
The correct action is to assess the risk of not replacing the firewall, as it directly impacts the organization's security. Reporting the security posture or mitigating controls does not address the immediate risk posed by outdated firewalls, and determining the value of the firewall does not inform necessary actions regarding risk management.