An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
A. Abuses by employees have not been reported.
B. Vulnerabilities have not been properly addressed.
C. Security incident policies are out of date.
D. Lessons learned have not been properly documented.
A. Abuses by employees have not been reported.
B. Vulnerabilities have not been properly addressed.
C. Security incident policies are out of date.
D. Lessons learned have not been properly documented.