Greatest Concerns for Auditing an Organization's Information Security Awareness Program

A.

When auditing an organization's information security awareness program, the IS auditor should be primarily concerned with whether the program is effective in increasing employees' awareness and understanding of information security risks and best practices. This is critical because human error is often the cause of security breaches, and a strong security awareness program can help minimize these risks.

Out of the given options, option A indicates that new hires are not receiving security awareness training as part of their onboarding process. This is a cause for concern because new hires are typically not familiar with the organization's policies and procedures, and they may inadvertently compromise the organization's security if they are not aware of the risks and best practices.

Option B indicates that the number of security incidents logged by employees has increased, which could suggest that the current security awareness program is not effective in preventing incidents. However, the IS auditor should also investigate the nature and severity of these incidents before drawing any conclusions.

Option C indicates that the training quizzes are designed and run by a third-party company. While this could be a cause for concern if the third-party company does not have the necessary expertise or experience in information security, it is not necessarily a major issue if the organization has properly vetted the third-party company and ensures that the content of the training is aligned with its policies and procedures.

Option D indicates that the security awareness training is run via the organization's enterprise-wide e-learning portal. While this could be an effective and efficient way of delivering training to a large number of employees, the IS auditor should also ensure that the content of the training is up-to-date, relevant, and aligned with the organization's policies and procedures.

Therefore, option A should be of the greatest concern to the IS auditor as it suggests that a significant portion of the organization's workforce is not receiving security awareness training during their onboarding process, which could lead to increased risks to the organization's security.