Certified Information Systems Auditor (CISA) — Question 39

Which of the following observations noted during a review of the organization's social media practices should be of MOST concern to the IS auditor?

Answer options

• A. Not all employees using social media have attended the security awareness program.
• B. The organization does not require approval for social media posts.
• C. The organization does not have a documented social media policy.
• D. More than one employee is authorized to publish on social media on behalf of the organization.

Correct answer: C

Explanation

The correct answer is C because a documented social media policy is essential for guiding employee behavior and mitigating risks associated with social media use. Without such a policy, the organization may face inconsistent practices and potential security vulnerabilities. Options A and B, while concerning, are not as critical as lacking a formal policy, and D introduces some risk but is manageable with proper oversight.