Certified Information Systems Auditor (CISA) — Question 308

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's bring your own device (BYOD) policy?

Answer options

• A. Not all devices are approved for BYOD.
• B. The policy does not include the right to audit BYOD devices.
• C. A mobile device management (MDM) solution is not implemented.
• D. The policy is not updated annually.

Correct answer: C

Explanation

The absence of a mobile device management (MDM) solution is a significant concern because it can lead to security vulnerabilities and a lack of control over the devices accessing the organization's network. While the other options are important, not having an MDM solution poses a direct risk to data security and device management, making it the most pressing issue.