Certified Information Systems Auditor (CISA) — Question 9

Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?

Answer options

• A. Employees are not required to sign a non-compete agreement.
• B. Security education and awareness workshops have not been completed.
• C. Users lack technical knowledge related to security and data protection.
• D. Desktop passwords do not require special characters.

Correct answer: B

Explanation

Finding B is crucial because without proper security education and awareness, employees may not recognize or respond effectively to security threats, which can lead to further breaches. While the other options indicate weaknesses, they do not directly impact the immediate understanding and reaction to security risks as significantly as the lack of security training does.