Next Course of Action for Outdated and Unsupported Firewalls | CISA Exam Answer

B.

The correct answer to this question is D. Determine the risk of not replacing the firewall.

Explanation: As an IS auditor, the primary objective is to assess the security posture of an organization and identify any potential risks and vulnerabilities. In this scenario, the auditor has discovered that the firewalls being used by the organization are outdated and not supported by vendors.

The next course of action for the auditor should be to determine the risk associated with not replacing the firewall. This involves assessing the potential impact of a security breach, the likelihood of such a breach occurring, and the adequacy of any existing mitigating controls.

By determining the risk of not replacing the firewall, the auditor can provide the organization with a clear understanding of the potential consequences of inaction. This will allow the organization to make an informed decision on whether to replace the firewall or to accept the risk associated with continuing to use outdated technology.

While determining the value of the firewall and reporting on the security posture and mitigating controls are important tasks for an IS auditor, they are not the next course of action in this scenario. The primary focus should be on identifying and assessing the risk associated with the outdated firewall.