An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS
auditor should conclude that:

A.
this lack of knowledge may lead to unintentional disclosure of sensitive information.

B.
information security is not critical to all functions.

C.
IS audit should provide security training to the employees.

D.
the audit finding will cause management to provide continuous training to staff.

Explanation:
All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure
of sensitive information. Training is a preventive control. Security awareness programs for employees can
prevent unintentional disclosure of sensitive information to outsiders.