Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Isaca Exam CISA Topic 8 Question 96 Discussion

Actual exam question for Isaca's CISA exam
Question #: 96
Topic #: 8
[All CISA Questions]

The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive and Detailed Step-by-Step Explanation:

Conducting vulnerability assessments only once per year, right before an audit, creates a false sense of security and leaves systems exposed between assessments.

Annual Testing Before Audit (Correct Answer -- A)

Risks undetected vulnerabilities for extended periods.

Example: A company only tests security before a compliance audit, allowing zero-day threats to persist for months.

Internal Team Conducting Assessments (Incorrect -- B)

Not ideal, but regular assessments are more critical.

Focusing on Critical Systems (Incorrect -- C)

Not perfect, but better than no testing at all.

Using Open-Source Tools (Incorrect -- D)

Open-source tools can be effective if properly configured.

References:

ISACA CISA Review Manual

NIST 800-115 (Technical Guide to Security Testing)


by Royal at Feb 07, 2025, 07:54 AM

Limited Time Offer

25%

Off

Get Premium CISA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Fernanda
4 months ago
B is the winner here. I don't trust those internal teams, they always want to make things look better than they are.
upvoted 0 times
...
Doretha
4 months ago
Haha, I bet the correct answer is A. Waiting until the last minute? That's the IT auditor way, am I right?
upvoted 0 times
Alva
3 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Lewis
3 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Cathrine
4 months ago
C is the way to go. Focusing on critical systems is a smart move, you don't need to waste time on everything.
upvoted 0 times
...
Sylvie
4 months ago
I think conducting the assessments using open-source testing tools could also be a concern, as they may not be as thorough as proprietary tools.
upvoted 0 times
...
Santos
4 months ago
D seems like the best option to me. Open-source tools are often more comprehensive and reliable than commercial ones.
upvoted 0 times
Allene
3 months ago
D) Performed using open-source testing tools.
upvoted 0 times
...
Yoko
3 months ago
C) Performed for critical systems, not for the entire infrastructure.
upvoted 0 times
...
Asha
3 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Devorah
4 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Graciela
4 months ago
I think the answer is B. Having the internal team conduct the assessments could lead to a conflict of interest and potential bias in the results.
upvoted 0 times
Ethan
4 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Nida
4 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Paulina
4 months ago
I agree with Carlton. That could lead to a false sense of security.
upvoted 0 times
...
Carlton
5 months ago
I think the greatest concern would be if the assessments are conducted once per year just before system audits are scheduled.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77