CISA Certified Information Systems Auditor – Question2792

Which of the following does a lack of adequate security controls represent?

A.
Threat
B. Asset
C. Impact
D. Vulnerability

Correct Answer: D

Explanation:

Explanation:
The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the ‘potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.’ The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.