Free ISACA CISA Actual Exam Questions - Question 15 Discussion

It’s B—non-expiring admin passwords are a clear, ongoing attack vector.

B stands out to me because if admin passwords never expire, it’s easier for attackers to gain ongoing access once compromised. Does anyone think not expiring passwords pose a bigger immediate danger than legacy data or default settings?

C/D? Default settings can open big vulnerabilities, but missing logs hide attacks too.

Maybe C, because default settings often include weak security and can be exploited easily if left unchanged, leading to a bigger risk than just logging gaps or password policies.

Actually, D sounds the worst here since incomplete logging means you might not catch breaches or suspicious actions. Without proper tracking, a lot can slide under the radar.