Learn about the most important issue that an information systems auditor should look for when evaluating an organization’s patch management program and processes.
Table of Contents
Question
Which of the following should be of GREATEST concern to an IS auditor assessing an organization’s patch management program?
A. Patches for medium- and low-risk vulnerabilities are omitted.
B. Patches are deployed from multiple deployment servers.
C. There is no process in place to quarantine servers that have not been patched.
D. There is no process in place to scan the network to identify missing patches.
Answer
Of the issues listed, an IS auditor should be most concerned that there is no process in place to scan the network to identify missing patches (Choice D).
Explanation
While omitting patches for medium and low risk vulnerabilities is not ideal, focusing patching efforts on critical high-risk vulnerabilities is an acceptable risk-based approach. Using multiple patch deployment servers is also not inherently concerning.
However, the lack of any process to scan for and identify missing patches is a major gap that prevents the organization from having visibility into the current patch status and unpatched vulnerabilities that exist in their environment. Without a way to detect missing patches, the organization cannot effectively prioritize and deploy needed patches in a timely manner. This scanning process is an essential foundational element of an effective patch management program.
Not quarantining unpatched servers is concerning as well, as it allows vulnerable systems to remain exposed. But this is still not as critical as the lack of patch scanning, since quarantining is a reactive control that can only be done if missing patches are detected in the first place through proactive scanning.
In summary, when assessing patch management, IS auditors should be most alarmed by the absence of a process to regularly scan systems for missing security patches, as this severely undermines the effectiveness of the entire patching program. Implementing comprehensive vulnerability scanning should be the top priority.
ISACA CISM certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the ISACA CISM exam and earn ISACA CISM certification.