CISA Certified Information Systems Auditor – Question0234

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

A.
Verify the disaster recovery plan (DRP) has been tested.
B. Ensure the intrusion prevention system (IPS) is effective.
C. Confirm the incident response team understands the issue.
D. Assess the security risks to the business.

Correct Answer: D