Certified Information Systems Auditor (CISA) — Question 673

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives. Which of the following is the BEST course of action to address this issue?

Answer options

• A. Evaluate the corporate asset handling policy for potential gaps.
• B. Examine the workflow to identify gaps in asset handling responsibilities.
• C. Recommend the drives be sent to the vendor for destruction.
• D. Escalate the finding to the asset owner for remediation.

Correct answer: D

Explanation

The correct answer is D because escalating the issue to the asset owner ensures that the problem is addressed by someone with the authority to take corrective action. Options A and B focus on evaluating policies and workflows, which can be helpful but do not resolve the immediate risk. Option C does not involve the necessary ownership and accountability in addressing the oversight.