Master the CISA exam by understanding why undefined roles and responsibilities in an information security policy pose the biggest risk to an organization. Learn more about key CISA concepts.
Table of Contents
Question
Which of the following findings related to an organization’s information security policy should be of GREATEST concern to an IS auditor?
A. The policy has not been communicated to all staff members and training has not been scheduled.
B. The policy has not addressed requirements for regular penetration testing.
C. The policy has not defined organizational roles and responsibilities for information security.
D. The policy is not developed in accordance with a globally accepted information security standard.
Answer
C. The policy has not defined organizational roles and responsibilities for information security.
Explanation
Failing to define organizational roles and responsibilities for information security creates ambiguity and hinders accountability. This deficiency can lead to confusion, inaction, and ultimately, increased vulnerability to security incidents.
While the other options represent weaknesses, they are less critical than the lack of defined roles and responsibilities.
ISACA CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the ISACA CISA exam and earn ISACA CISA certification.