Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca Exam CISA Topic 8 Question 96 Discussion

Actual exam question for Isaca's CISA exam
Question #: 96
Topic #: 8
[All CISA Questions]

The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive and Detailed Step-by-Step Explanation:

Conducting vulnerability assessments only once per year, right before an audit, creates a false sense of security and leaves systems exposed between assessments.

Annual Testing Before Audit (Correct Answer -- A)

Risks undetected vulnerabilities for extended periods.

Example: A company only tests security before a compliance audit, allowing zero-day threats to persist for months.

Internal Team Conducting Assessments (Incorrect -- B)

Not ideal, but regular assessments are more critical.

Focusing on Critical Systems (Incorrect -- C)

Not perfect, but better than no testing at all.

Using Open-Source Tools (Incorrect -- D)

Open-source tools can be effective if properly configured.

References:

ISACA CISA Review Manual

NIST 800-115 (Technical Guide to Security Testing)


by Royal at Feb 07, 2025, 07:54 AM

Limited Time Offer

25%

Off

Get Premium CISA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Fernanda
2 months ago
B is the winner here. I don't trust those internal teams, they always want to make things look better than they are.
upvoted 0 times
...
Doretha
2 months ago
Haha, I bet the correct answer is A. Waiting until the last minute? That's the IT auditor way, am I right?
upvoted 0 times
Alva
1 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Lewis
1 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Cathrine
2 months ago
C is the way to go. Focusing on critical systems is a smart move, you don't need to waste time on everything.
upvoted 0 times
...
Sylvie
2 months ago
I think conducting the assessments using open-source testing tools could also be a concern, as they may not be as thorough as proprietary tools.
upvoted 0 times
...
Santos
2 months ago
D seems like the best option to me. Open-source tools are often more comprehensive and reliable than commercial ones.
upvoted 0 times
Allene
24 days ago
D) Performed using open-source testing tools.
upvoted 0 times
...
Yoko
29 days ago
C) Performed for critical systems, not for the entire infrastructure.
upvoted 0 times
...
Asha
2 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Devorah
2 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Graciela
3 months ago
I think the answer is B. Having the internal team conduct the assessments could lead to a conflict of interest and potential bias in the results.
upvoted 0 times
Ethan
2 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Nida
2 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Paulina
3 months ago
I agree with Carlton. That could lead to a false sense of security.
upvoted 0 times
...
Carlton
3 months ago
I think the greatest concern would be if the assessments are conducted once per year just before system audits are scheduled.
upvoted 0 times
...

Save Cancel