Certified Information Systems Auditor (CISA) — Question 951

Which of the following findings related to an organization's information security policy should be of GREATEST concern to an IS auditor?

Answer options

• A. The policy has not been communicated to all staff members and training has not been scheduled.
• B. The policy has not addressed requirements for regular penetration testing.
• C. The policy has not defined organizational roles and responsibilities for information security.
• D. The policy is not developed in accordance with a globally accepted information security standard.

Correct answer: C

Explanation

The lack of defined organizational roles and responsibilities for information security (option C) poses the greatest risk, as it can lead to confusion and inadequate response during security incidents. While other options indicate weaknesses in communication, testing, and compliance, they do not directly undermine the governance structure essential for effective information security management.