Certified Information Systems Auditor (CISA) — Question 887

Which of the following should be the GREATEST concern for an IS auditor reviewing the implementation of a security information and event management (SIEM) system?

Answer options

• A. SIEM rule tuning is only reviewed annually.
• B. Network monitoring events are not aggregated into the SIEM.
• C. Only the last seven days of logs from the SIEM are maintained for review.
• D. Security operations center (SOC) staff have not been fully trained on how to use the SIEM.

Correct answer: B

Explanation

The correct answer is B because if network monitoring events are not aggregated into the SIEM, critical security incidents may be overlooked, compromising the overall security posture. Options A, C, and D are concerning but do not pose as significant a risk to the effectiveness of the SIEM as the lack of aggregated network monitoring data does.