Certified Information Systems Auditor (CISA) — Question 255

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?

Answer options

• A. Employees do not receive immediate notification of results.
• B. Only new employees are required to attend the program.
• C. The timing for program updates has not been determined.
• D. Metrics have not been established to assess training results.

Correct answer: B

Explanation

The correct answer is B because requiring only new employees to attend the program limits the effectiveness of security awareness across the entire organization. The other options, while concerning, do not directly restrict participation to such a limited group, thereby not impacting the overall security culture as severely.