Certified Information Systems Auditor (CISA) — Question 1447

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST:

Answer options

• A. notify the audit committee.
• B. review security incident reports.
• C. identify compensating controls.
• D. document the exception in an audit report.

Correct answer: C

Explanation

The correct answer is C because identifying compensating controls is crucial for mitigating the risk of the vulnerability before taking further steps. Notifying the audit committee, reviewing incident reports, or documenting the exception are important actions, but they should come after assessing how to address the vulnerability immediately.