Certified Information Systems Auditor (CISA) — Question 42

When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

Answer options

• A. An information security governance audit was not conducted with in the past year.
• B. Information security policies are updated annually.
• C. The data center manager has final sign-off on security projects.
• D. The information security department has difficulty filling vacancies.

Correct answer: C

Explanation

The correct answer, C, is concerning because allowing the data center manager to have final sign-off on security projects can lead to conflicts of interest and a lack of independent oversight. Option A, while important, is less critical than the governance issue presented in C. Option B indicates a positive practice, and option D, while a challenge, does not directly impact governance compared to the implications of C.