CISA Certified Information Systems Auditor – Question0076

When conducting a review of security incident management, an IS auditor found there are no defined escalation processes. All incidents are managed by the service desk. Which of the following should be the auditor’s PRIMARY concern?

A.
Inefficient use of service desk resources
B. Management’s lack of high impact incidents
C. Delays in resolving low priority trouble tickets
D. Management’s inability to follow up on incident resolution

Correct Answer: B