Certified Information Systems Auditor (CISA) — Question 983

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program?

Answer options

• A. Scans are performed less frequently than required by the organization’s vulnerability scanning schedule.
• B. Steps taken to address identified vulnerabilities are not formally documented.
• C. Results are not approved by senior management.
• D. Results are not reported to individuals with authority to ensure resolution.

Correct answer: D

Explanation

The correct answer is D because reporting results to individuals with authority is crucial for ensuring that vulnerabilities are addressed effectively. While documentation and approval are important, the lack of communication to those who can enforce resolution poses the greatest risk to the organization's security posture.