Certified Information Systems Auditor (CISA) — Question 807

Which of the following should be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?

Answer options

• A. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.
• B. Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs).
• C. Preventive maintenance has not been approved by the information system owner.
• D. Preventive maintenance costs exceed the business’s allocated budget.

Correct answer: B

Explanation

Option B is the correct answer because outsourcing preventive maintenance without NDAs can lead to potential data leaks and security risks. The other options, while potentially concerning, do not pose as immediate a risk to the confidentiality and integrity of the organization's data as the lack of NDAs does.