Certified Information Systems Auditor (CISA) — Question 1425

An audit has identified that business units have purchased cloud-based applications without IT's support. What is the GREATEST risk associated with this situation?

Answer options

• A. The application purchases did not follow procurement policy.
• B. The applications may not reasonably protect data.
• C. The applications could be modified without advanced notice.
• D. The applications are not included in business continuity plans (BCPs).

Correct answer: B

Explanation

The greatest risk is that these applications may not offer adequate data protection, which can lead to security breaches or data loss. While not following procurement policy (A), potential modifications without notice (C), and exclusion from BCPs (D) are concerns, they do not directly impact the immediate protection of sensitive data like option B does.