Certified Information Systems Auditor (CISA) — Question 267

During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?

Answer options

• A. Further review closed unactioned alerts to identify mishandling of threats.
• B. Reopen unactioned alerts and report to the audit committee.
• C. Recommend that management enhance the policy and improve threat awareness training.
• D. Omit the finding from the report as this practice is in compliance with the current policy.

Correct answer: A

Explanation

The best way for the auditor to address the situation is to conduct a deeper examination of closed alerts to pinpoint any mishandling of threats, as this could uncover systemic issues in the threat response process. Reopening alerts and reporting to the audit committee may not provide actionable solutions, while recommending policy enhancements may not address the immediate concerns. Omitting the finding is not appropriate as it allows potential risks to remain unaddressed.