Certified Information Systems Auditor (CISA) — Question 446

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered
MOST critical?

Answer options

• A. The attack could not be traced back to the originating person.
• B. The attack was not automatically blocked by the intrusion detection system (IDS).
• C. Appropriate response documentation was not maintained.
• D. The security weakness facilitating the attack was not identified.

Correct answer: D

Explanation

Finding D is the most critical because identifying the security weakness is essential to prevent future incidents. Without recognizing the vulnerability, the organization cannot effectively mitigate risks or strengthen defenses. The other options, while important, do not directly address the root cause of the incident.