Exam CISA topic 1 question 64 discussion

The answer is correct , the first is The network device inventory....without complete inventory we can't asses the risk

The absence of a properly approved network firewall policy poses a significant risk because it indicates a lack of formal oversight, accountability, and governance. An unapproved policy may result in misconfigurations or improper firewall rules, which can compromise the entire security infrastructure, allowing potential attackers to exploit vulnerabilities and gain unauthorized access.

Answer: C While the other findings (network penetration tests not performed, firewall policy not approved by the information security officer, incomplete network device inventory) also represent potential risks to network security, the absence of documented firewall rules is particularly concerning due to its direct impact on the configuration and management of network security controls. Therefore, it should be ranked as the highest risk in the audit report.

I'd pick A

The highest risk of a security attack on an organization is failure to conduct penetration testing.

By not performing penetration tests, the organization is leaving itself blind to potential security weaknesses that could be exploited by malicious actors. This represents a significant risk to the confidentiality, integrity, and availability of sensitive data.

this is immediate risk

An incomplete inventory hampers visibility and management. It can lead to unpatched devices, unauthorized access, and security blind spots. Remember that risk assessment considers both likelihood and impact. In this case, the incomplete inventory poses immediate operational and security risks.

D is the accurate answer. Without a complete inventory of the network in an enterprise, you won’t be able to assess the risk. This is the highest risk then the B comes

The perfect answer would have be B(approval by an info sec officer) but looking at the context of the question “fieldwork phase” has been completed, I think D would be a better option

B. The network firewall policy has not been approved by the information security officer. The fact that the network's firewall policy has not been approved by the information security officer indicates a lack of control and governance over the network's security settings. This can result in greater vulnerability to attacks and a greater likelihood of security breaches. The lack of approval of the firewall policy can indicate that the security rules have not been established properly and the established security standards are not being followed. This represents a significant risk to the integrity and confidentiality of network data. It is important to note that the risk classification may vary depending on the context and the specific circumstances of the audited organization. Therefore, it is recommended that the IS auditor perform a full evaluation of the findings and consider other relevant factors before finalizing the highest risk classification.

The approval of the network firewall policy by the information security officer is crucial for ensuring that the organization's network security measures align with established standards, guidelines, and best practices. Without the approval of the information security officer, there is a higher risk of inadequate or ineffective firewall configurations, which can leave the network vulnerable to unauthorized access and potential security breaches.

I think B is the right answer. what is the meaning of inventory of D?? firewall H/W, S/W

The highest risk among the listed findings is that network penetration tests are not performed. Without these tests, the organization is unable to identify and address potential vulnerabilities and weaknesses in their network, increasing the likelihood of successful attacks or unauthorized access.

B. The network firewall policy has not been approved by the information security officer should be ranked as the HIGHEST risk. This finding indicates a lack of proper oversight and control over the network security, which can lead to potential breaches or unauthorized access to sensitive data. The approval of the information security officer is important for ensuring the effectiveness of the firewall policy and its compliance with security standards. The other findings, although significant, do not pose as high a risk as the absence of an approved firewall policy.