Certified Information Systems Auditor (CISA) — Question 247

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial draft of the audit report. Which of the following findings should be ranked as the HIGHEST risk?

Answer options

• A. Network penetration tests are not performed.
• B. The network firewall policy has not been approved by the information security officer.
• C. Network firewall rules have not been documented.
• D. The network device inventory is incomplete.

Correct answer: D

Explanation

The incomplete network device inventory is ranked as the highest risk because it can lead to unmonitored devices that may be exploited. Without a proper inventory, vulnerabilities may go undetected, making other issues like unapproved firewall policies or undocumented rules less critical in comparison. Therefore, while all findings are important, the lack of a complete inventory poses a fundamental risk to overall network security.