Certified Information Systems Auditor (CISA) — Question 840

An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program. Which of the following would BEST enable the organization to work toward improvement in this area?

Answer options

• A. Outsourcing the threat and vulnerability management function to a third party
• B. Maintaining a catalog of vulnerabilities that may impact mission-critical systems
• C. Using a capability maturity model to identify a path to an optimized program
• D. Implementing security logging to enhance threat and vulnerability management

Correct answer: C

Explanation

The correct answer, C, is effective because a capability maturity model provides a structured approach for the organization to assess its current capabilities and identify steps toward enhancing its vulnerability management program. Option A may not ensure alignment with organizational goals, B is a useful practice but does not encompass overall program improvement, and D, while helpful for management, does not provide a strategic improvement path.