2002 Chap 4
-
Upload
bushraendlib -
Category
Documents
-
view
90 -
download
0
Transcript of 2002 Chap 4
CISA Review CourseCISA Review Course
Chapter 4Chapter 4
Protection of Protection of
Information AssetsInformation Assets
Chapter OverviewChapter Overview
Logical Access Exposures and ControlsLogical Access Exposures and Controls Network Infrastructure SecurityNetwork Infrastructure Security Auditing Network Infrastructure Auditing Network Infrastructure
SecuritySecurity Environmental Exposures and ControlsEnvironmental Exposures and Controls Physical Access Exposures and ControlsPhysical Access Exposures and Controls
Chapter ObjectiveChapter Objective
““This content area addresses the knowledge that This content area addresses the knowledge that an IS auditor must have in order to evaluate the an IS auditor must have in order to evaluate the
organization’s logical, environmental and IT organization’s logical, environmental and IT infrastructure security. Knowledge in this area infrastructure security. Knowledge in this area enables the IS auditor to determine whether the enables the IS auditor to determine whether the
security in place satisfies the organization’s security in place satisfies the organization’s business requirements for safeguarding business requirements for safeguarding
information assets.”information assets.”
Chapter 4 SummaryChapter 4 Summary
According to the Certification According to the Certification Board, this Content Area will Board, this Content Area will
represent approximately represent approximately 25%25% of of the CISA examination.the CISA examination. (approximately 50 questions) (approximately 50 questions)
Logical Access Exposures Logical Access Exposures and Controlsand Controls
To retain a competitive advantage and to meet basic To retain a competitive advantage and to meet basic business requirements, organizations must:business requirements, organizations must:
Ensure the integrity of the information stored on their Ensure the integrity of the information stored on their computer systemscomputer systems
Preserve the confidentiality of sensitive dataPreserve the confidentiality of sensitive data
Ensure the continued availability of their information Ensure the continued availability of their information systemssystems
Ensure conformity to laws, regulations and standardsEnsure conformity to laws, regulations and standards
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Components of a Security PolicyComponents of a Security Policy Management support and commitmentManagement support and commitment Access philosophyAccess philosophy
Compliance with relevant legislation and regulationsCompliance with relevant legislation and regulations
Access authorizationAccess authorization Reviews of access authorizationReviews of access authorization Security awarenessSecurity awareness Role of the security officerRole of the security officer Security committeeSecurity committee
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Paths of Logical AccessPaths of Logical Access
Network connectivityNetwork connectivityRemote accessRemote accessOperator consoleOperator consoleOnline terminalsOnline terminals
Logical Access Exposures Logical Access Exposures and Controlsand Controls
• Logic bombs
• Trap Doors
• Asynchronous attacks
• Data leakage
• Wire-tapping
• Piggybacking
• Computer shut down
• Denial of service
Logical Access Issues and ExposuresLogical Access Issues and Exposures Technical ExposuresTechnical Exposures
• Data diddling
• Trojan horses
• Rounding down
• Salami techniques
• Viruses
• Worms
Logical Access Issues and ExposuresLogical Access Issues and Exposures Viruses. Usually attack Viruses. Usually attack fourfour parts of the parts of the
computercomputer..• Executable program filesExecutable program files
• File-directory File-directory systemsystem which tracks the location which tracks the location of all the computer’s filesof all the computer’s files
• Boot and system areas that are needed to start Boot and system areas that are needed to start the computerthe computer
• Data files.Data files.
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Controls over VirusesControls over Viruses Build any system from original, clean master copies. Build any system from original, clean master copies. Boot only from original diskettes whose write protection Boot only from original diskettes whose write protection
has always been in place.has always been in place. Allow no disk to be used until it has been scanned on a Allow no disk to be used until it has been scanned on a
stand-alone machine.stand-alone machine. Update virus scanning definitions/signatures frequently.Update virus scanning definitions/signatures frequently. Write-protect all diskettes.Write-protect all diskettes. Have vendors run demonstrations on their machines, not Have vendors run demonstrations on their machines, not
yours.yours.
Logical Access Exposures and Logical Access Exposures and ControlsControls
Antivirus softwareAntivirus software ScannersScanners Active monitorsActive monitors Integrity checkersIntegrity checkers
Logical Access Exposures and Logical Access Exposures and ControlsControls
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Access Issues and ExposuresLogical Access Issues and ExposuresComputer crime exposuresComputer crime exposures
• Financial lossFinancial loss• Legal repercussionsLegal repercussions• Loss of credibility or competitive edgeLoss of credibility or competitive edge• Blackmail/industrial espionageBlackmail/industrial espionage• Disclosure of confidential, sensitive or embarrassing Disclosure of confidential, sensitive or embarrassing
informationinformation• SabotageSabotage
Logical Access Issues and ExposuresLogical Access Issues and Exposures
Computer crime exposuresComputer crime exposures
• Logical access violatorsLogical access violators– HackersHackers– Employees and former employeesEmployees and former employees– IS personnelIS personnel– End usersEnd users– Former employeesFormer employees– Interested or educated outsidersInterested or educated outsiders– Part-time and temporary personnelPart-time and temporary personnel– Vendors and consultantsVendors and consultants– Accidental ignorantAccidental ignorant
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Access Control SoftwareAccess Control Software
Tasks they performTasks they perform Authorization functions they provideAuthorization functions they provide Standard functionsStandard functions
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Access Control Software Access Control Software Continued…Continued…
Process of access requestsProcess of access requests List of computerized files and facilitiesList of computerized files and facilities Advantages of decentralized environmentAdvantages of decentralized environment
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Access Control Software Access Control Software Continued…Continued…
Risks associated with distributed Risks associated with distributed responsibility for security administrationresponsibility for security administration
Ways to control remote and distributed Ways to control remote and distributed sitessites
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Security Features, Tools and ProceduresLogical Security Features, Tools and Procedures
Authentication techniques for logical access controlAuthentication techniques for logical access control
Logon-ids and passwordsLogon-ids and passwords
• Features of passwordsFeatures of passwords
• Password syntax (format) rulesPassword syntax (format) rules
• Logging computer accessLogging computer access
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Security Features, Tools and Logical Security Features, Tools and ProceduresProcedures
Logging Computer AccessLogging Computer Access
Performing security access follow-upPerforming security access follow-up Reported attempted violationsReported attempted violations
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Security Features, Tools and Logical Security Features, Tools and Procedures. Procedures.
Token devices--one time passwordsToken devices--one time passwordsBiometric security access controlBiometric security access controlWorkstation (PC or terminals) usage Workstation (PC or terminals) usage
restraintsrestraintsDial-back proceduresDial-back procedures
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Security Techniques Logical Security Techniques
Restrict and monitor access to computer Restrict and monitor access to computer features that bypass securityfeatures that bypass security
Logging of online activityLogging of online activity
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Logical Security Features, Tools and Logical Security Features, Tools and ProceduresProcedures
Data classificationData classification Safeguards for confidential data on a PCSafeguards for confidential data on a PC Naming conventions for access controlsNaming conventions for access controls
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Auditing Logical AccessAuditing Logical AccessFamiliarization with the IS processing Familiarization with the IS processing
environmentenvironment
Document access pathsDocument access pathsInterview systems personnelInterview systems personnelReview reports from access control softwareReview reports from access control software
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Audit & Evaluation Features, Tools and Audit & Evaluation Features, Tools and Procedures.Procedures. Review application systems operations manualReview application systems operations manual Review written policies, procedures and standardsReview written policies, procedures and standards Logical access security policiesLogical access security policies Formal security awareness and trainingFormal security awareness and training Data ownershipData ownership Data ownersData owners Data custodiansData custodians
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Audit and Evaluation Features, Tools Audit and Evaluation Features, Tools and Proceduresand Procedures Security administratorSecurity administrator Data usersData users Documented authorizationsDocumented authorizations Access standardsAccess standards
Test SecurityTest Security
Use of terminal cards and keysUse of terminal cards and keys
Terminal identificationTerminal identification
Logon-ids and passwordsLogon-ids and passwords
Controls over production resourcesControls over production resources
Logging and reporting of computer access Logging and reporting of computer access
violationsviolations
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Test Security Test Security Continued…Continued…
Follow-up access violationsFollow-up access violations
Dial-up access controlsDial-up access controls
Authorization of network changesAuthorization of network changes
Identification of methods of bypassing security and Identification of methods of bypassing security and compensating controlscompensating controls
Review access controls and password administrationReview access controls and password administration
Logical Access Exposures Logical Access Exposures and Controlsand Controls
Network Infrastructure SecurityNetwork Infrastructure Security
LAN Security LAN Security
Controls over the communication networkControls over the communication network
Common network management/control Common network management/control
software packagessoftware packages
Local Area NetworksLocal Area Networks LAN securityLAN security LAN risk/issues LAN risk/issues Dial-up access controlsDial-up access controls
IS Network and Telecommunication IS Network and Telecommunication InfrastructureInfrastructure
Network Infrastructure SecurityNetwork Infrastructure Security
Client/Server Security Client/Server Security
Control techniques in placeControl techniques in place
• Securing access to data or applicationSecuring access to data or application
• Use of network monitoring devicesUse of network monitoring devices
• Data encryption techniquesData encryption techniques
• Authentication systemsAuthentication systems
• Use of application level access control programsUse of application level access control programs
Client/Server Client/Server SecuritySecurity
Client/server Client/server risks and issuesrisks and issues
IS Network and Telecommunication IS Network and Telecommunication InfrastructureInfrastructure
Network Infrastructure SecurityNetwork Infrastructure Security
Internet Threats and SecurityInternet Threats and Security
Areas of controlAreas of control
• Corporate internet policies and proceduresCorporate internet policies and procedures
• Firewall standardsFirewall standards
• Firewall securityFirewall security
• Data security controlsData security controls
Internet Threats and SecurityInternet Threats and Security Network analysisNetwork analysis EavesdroppingEavesdropping Traffic analysisTraffic analysis Brute-force attackBrute-force attack MasqueradingMasquerading Packet replayPacket replay Denial of serviceDenial of service Dial-in penetration attacksDial-in penetration attacks E-mail bombing and spammingE-mail bombing and spamming E-mail spoofingE-mail spoofing
Network Infrastructure SecurityNetwork Infrastructure Security
Impact of Internet ThreatsImpact of Internet Threats
Loss of income Increased cost of recovery Increased cost of retrospectively securing systems Loss of information Loss of trade secrets Damage to reputation Legal and regulatory noncompliance Failure to meet contractual commitments
Network Infrastructure SecurityNetwork Infrastructure Security
Internet Threats and SecurityInternet Threats and Security Causal factors for internet attacksCausal factors for internet attacks
Availability of tools and techniques on the InternetAvailability of tools and techniques on the Internet Lack of security awareness and trainingLack of security awareness and training Exploitation of security vulnerabilitiesExploitation of security vulnerabilities Inadequate security over firewallsInadequate security over firewalls
Internet security controlsInternet security controls
Network Infrastructure SecurityNetwork Infrastructure Security
Network Infrastructure SecurityNetwork Infrastructure Security
EncryptionEncryption
Key elements of encryption systemsKey elements of encryption systems
• Encryption algorithmEncryption algorithm
• Encryption keysEncryption keys
• Key lengthKey length
Private key cryptographic systemsPrivate key cryptographic systems
Public key cryptographic systemsPublic key cryptographic systems
Network Infrastructure SecurityNetwork Infrastructure Security
Encryption Encryption Continued...Continued...
Elliptical curve cryptosystem (ECC)Elliptical curve cryptosystem (ECC)
Quantum cryptographyQuantum cryptography
Digital signaturesDigital signatures
Network Infrastructure SecurityNetwork Infrastructure Security
Encryption Encryption Continued...Continued...
Public key infrastructurePublic key infrastructure
• Digital certificateDigital certificate
• Certificate authority (CA)Certificate authority (CA)
• Registration authority (RA)Registration authority (RA)
• Certificate revocation listCertificate revocation list
• Certification practice statement (CPS)Certification practice statement (CPS)
Network Infrastructure SecurityNetwork Infrastructure Security
Encryption Encryption Continued...Continued...
Use of encryption in OSI protocolsUse of encryption in OSI protocols
• SSHSSH
• Secure sockets layer (SSL)Secure sockets layer (SSL)
• S-HTTPS-HTTP
• IP securityIP security
• Secure multipurpose Internet mail extensions (S/MIME)Secure multipurpose Internet mail extensions (S/MIME)
• Internet key exchange (IKE)Internet key exchange (IKE)
• Secure electronic transactions (SET)Secure electronic transactions (SET)
• KerberosKerberos
Network Infrastructure SecurityNetwork Infrastructure Security
Encryption Encryption Continued…Continued…
Applications of the public/private key encryption processApplications of the public/private key encryption process
E-mail securityE-mail security
Internet securityInternet security
Encryption risks and password protection demystifiedEncryption risks and password protection demystified
Network Infrastructure SecurityNetwork Infrastructure Security
Firewall Security SystemsFirewall Security Systems
Firewall TypesFirewall Types
Router packet filteringRouter packet filtering
Application firewalls systemsApplication firewalls systems
Stateful InspectionStateful Inspection
Network Infrastructure SecurityNetwork Infrastructure Security
Firewall Security Systems Continued...Firewall Security Systems Continued...
Examples of Firewall ImplementationsExamples of Firewall Implementations
Screened host firewallScreened host firewall
Dual homed firewallDual homed firewall
Demilitarized zone (DMZ) or screened subnet firewallDemilitarized zone (DMZ) or screened subnet firewall
Firewall IssuesFirewall Issues
Network Infrastructure SecurityNetwork Infrastructure Security Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)
Element to securing networks complementing firewall implementationsElement to securing networks complementing firewall implementations ..
Broad categoriesBroad categories• Network-basedNetwork-based
• Host-basedHost-based
Types of IDSTypes of IDS• Signature-basedSignature-based
• Statistical-basedStatistical-based
• Neural networksNeural networks
FeaturesFeatures
LimitationsLimitations
Auditing Network Auditing Network Infrastructure SecurityInfrastructure Security
Auditing Internet ConnectionsAuditing Internet Connections
Review network diagramsReview network diagrams
Remote access securityRemote access security
InfrastructureInfrastructure
Auditing Network Infrastructure Auditing Network Infrastructure SecuritySecurity
Auditing Internet ConnectionsAuditing Internet Connections
Development and change controlDevelopment and change control
• FirewallsFirewalls
• RoutersRouters
• BridgesBridges
Logical securityLogical security
Environmental Exposures and Environmental Exposures and ControlsControls
Environmental Issues and ExposuresEnvironmental Issues and Exposures
FireFire
Natural disastersNatural disasters
Power failure and spikePower failure and spike
Air conditioning failureAir conditioning failure
OthersOthers
Environmental Exposures and Environmental Exposures and ControlsControls
Environmental Issues and ExposuresEnvironmental Issues and Exposures Power supply properly controlled?Power supply properly controlled? Air conditioning humidity and ventilation within Air conditioning humidity and ventilation within
specifications?specifications? Computer equipment protected from effect of Computer equipment protected from effect of
static electricity?static electricity? Consumption of food prohibited around the Consumption of food prohibited around the
equipment?equipment? Backup media protected?Backup media protected?
Environmental Exposures Environmental Exposures and Controlsand Controls
Controls for Environmental ExposuresControls for Environmental Exposures Water detectorsWater detectors
Hand-held fire extinguishersHand-held fire extinguishers
Manual fire alarmsManual fire alarms
Smoke detectorsSmoke detectors
Fire suppression systemsFire suppression systems• Water-basedWater-based• Dry pipe sprinklingDry pipe sprinkling• HalonHalon• Carbon DioxideCarbon Dioxide
Environmental Exposures and Environmental Exposures and ControlsControls
Controls for Environmental Controls for Environmental Exposures Continued...Exposures Continued... Computer room locationComputer room location Fire department inspectionsFire department inspections Fireproof walls, floors and ceilingsFireproof walls, floors and ceilings Electrical surge protectorsElectrical surge protectors Uninterruptible power supply (UPS)Uninterruptible power supply (UPS) Emergency power-off switchEmergency power-off switch
Environmental Exposures and Environmental Exposures and ControlsControls
Controls for Environmental Controls for Environmental Exposures Exposures ContinuedContinued...... Power leads from two substationsPower leads from two substations Wiring placed in electrical panels and Wiring placed in electrical panels and
conduitconduit Prohibitions against eating, drinking Prohibitions against eating, drinking
and smoking within the IPFand smoking within the IPF Fire resistant office materialsFire resistant office materials Documented and tested emergency Documented and tested emergency
evacuation plansevacuation plans
Environmental Exposures and ControlsEnvironmental Exposures and Controls
Auditing Environmental ControlsAuditing Environmental Controls
Water and smoke detectorsWater and smoke detectors Hand-held fire extinguishersHand-held fire extinguishers Fire suppression systemsFire suppression systems Regular Fire department inspectionsRegular Fire department inspections Fireproof walls, floors and ceilings Fireproof walls, floors and ceilings
surrounding the computer roomsurrounding the computer room
Environmental Exposures and ControlsEnvironmental Exposures and Controls
Auditing Environmental Controls Auditing Environmental Controls Continued…Continued…
Electrical surge protectorsElectrical surge protectors Power leads from two substationsPower leads from two substations Fully documented and tested business continuity Fully documented and tested business continuity
planplan Wiring placed in electrical panels and conduitWiring placed in electrical panels and conduit UPS/GeneratorUPS/Generator Documented and tested emergency evacuation Documented and tested emergency evacuation
plansplans Humidity/temperature controlHumidity/temperature control
Physical Access Exposures Physical Access Exposures and Controlsand Controls
Physical Access Issues and ExposuresPhysical Access Issues and Exposures
Physical access exposuresPhysical access exposures
Possible perpetratorsPossible perpetrators
PhysicalPhysical Access Exposures Access Exposures and Controlsand Controls
Physical Access ControlsPhysical Access Controls Bolting door locksBolting door locks Combination door locks (cipher locks)Combination door locks (cipher locks) Electronic door locksElectronic door locks Biometric door locksBiometric door locks Manual loggingManual logging Electronic loggingElectronic logging
PhysicalPhysical Access Exposures Access Exposures and Controlsand Controls
Physical Access Controls Physical Access Controls Continued…Continued… Identification badges (photo IDs)Identification badges (photo IDs) Video camerasVideo cameras Security guardsSecurity guards Controlled visitor accessControlled visitor access Bonded personnelBonded personnel Deadman doorsDeadman doors
PhysicalPhysical Access Exposures Access Exposures and Controlsand Controls
Physical Access Controls Physical Access Controls Continued…Continued…Not advertising the location of sensitive facilitiesNot advertising the location of sensitive facilitiesComputer terminal locksComputer terminal locksControlled single entry pointControlled single entry pointAlarm systemAlarm systemSecured report/document distribution cartSecured report/document distribution cart
PhysicalPhysical Access Exposures Access Exposures and Controlsand Controls
Audit Physical AccessAudit Physical Access
Touring the information processing Touring the information processing facility (IPF)facility (IPF)
Testing of physical safeguardsTesting of physical safeguards
Chapter Chapter 44: Glossary: Glossary
Access Control Table Asymmetric Key (Public Key) Key) Authentication Biometrics Card Swipes Challenge/Response Token
Chapter Chapter 44: Glossary: Glossary
Digital Signature Dry-pipe Fire Extinguisher System Encryption Trojan Horse
Chapter 4: RecapChapter 4: Recap
Group discussionGroup discussion QuestionsQuestions
Chapter 4: QuestionsChapter 4: Questions
1.1. Which of the following BEST provides access Which of the following BEST provides access control to payroll data being processed on a control to payroll data being processed on a local server?local server?
A.A. Logging of access to personal information Logging of access to personal information B.B. Separate password for sensitive transactions Separate password for sensitive transactions C.C. Software restricts access rules to authorized staff Software restricts access rules to authorized staff D.D. System access restricted to business hours System access restricted to business hours
Chapter 4: QuestionsChapter 4: Questions
2. Which of the following concerns about the 2. Which of the following concerns about the security of an electronic message would be security of an electronic message would be addressed by digital signatures?addressed by digital signatures?
A.A. Unauthorized reading Unauthorized readingB.B. Theft TheftC.C. Unauthorized copying Unauthorized copyingD.D. Alteration Alteration
Chapter 4: QuestionsChapter 4: Questions
3. The MOST effective method for limiting the 3. The MOST effective method for limiting the damage of an attack by a software virus is:damage of an attack by a software virus is:
A.A. software controls. software controls.B.B. policies, standards and procedures. policies, standards and procedures.C.C. logical access controls. logical access controls.D.D. data communication standards. data communication standards.
Chapter 4: QuestionsChapter 4: Questions
4. Which of the following BEST determines that 4. Which of the following BEST determines that complete encryption and authentication complete encryption and authentication protocols exist for protecting information protocols exist for protecting information while transmitted?while transmitted?A.A. A digital signature with RSA has been implemented. A digital signature with RSA has been implemented.B.B. Work is being done in tunnel mode with the nested Work is being done in tunnel mode with the nested
services of AH and ESPservices of AH and ESPC.C. Digital certificates with RSA are being used. Digital certificates with RSA are being used.D.D. Work is being done in transport mode, with the nested Work is being done in transport mode, with the nested
services of AH and ESP services of AH and ESP
Chapter 4: QuestionsChapter 4: Questions
5. Which of the following would be MOST 5. Which of the following would be MOST appropriate to ensure the confidentiality of appropriate to ensure the confidentiality of transactions initiated via the Internet?transactions initiated via the Internet?
A. A. Digital signature Digital signature
B. B. Data encryption standard (DES) Data encryption standard (DES)
C.C. Virtual private network (VPN) Virtual private network (VPN)
D.D. Public key encryption Public key encryption
Chapter 4: QuestionsChapter 4: Questions
6. The PRIMARY objective of a firewall is to 6. The PRIMARY objective of a firewall is to protect:protect:A.A. Internal systems from exploitation by external Internal systems from exploitation by external
threats.threats.B.B. External systems from exploitation by internal External systems from exploitation by internal
threats.threats.C.C. Internal systems from exploitation by internal Internal systems from exploitation by internal
threatsthreatsD.D. Itself and attached systems against being used Itself and attached systems against being used
to attack other systems.to attack other systems.
Chapter 4: QuestionsChapter 4: Questions
7. Access authorization to computerized 7. Access authorization to computerized information should be provided by the:information should be provided by the:A.A. data owner. data owner.B.B. data administrator. data administrator.C.C. database administrator. database administrator.D.D. security administrator. security administrator.
8. An IS auditor has just completed a review of an 8. An IS auditor has just completed a review of an organization that has a mainframe and a client-server organization that has a mainframe and a client-server environment where all production data reside. Which of environment where all production data reside. Which of the following weaknesses would be considered the MOST the following weaknesses would be considered the MOST serious?serious?
A.A. The security officer also serves as the database administrator The security officer also serves as the database administrator ( DBA.)( DBA.)
B.B. Password controls are not administered over the client/server Password controls are not administered over the client/server environment.environment.
C.C. There is no business continuity plan for the mainframe system’s There is no business continuity plan for the mainframe system’s noncritical applications.noncritical applications.
D.D. Most LANs do not back up file server fixed disks regularly. Most LANs do not back up file server fixed disks regularly.
Chapter 4: QuestionsChapter 4: Questions
9. An organization is proposing to install a single sign-on 9. An organization is proposing to install a single sign-on facility giving access to all systems. The organization facility giving access to all systems. The organization should be aware that:should be aware that:
A.A. maximum unauthorized access would be possible if maximum unauthorized access would be possible if a password is disclosed.a password is disclosed.
B.B. user access rights would be restricted by the user access rights would be restricted by the additional security parameters.additional security parameters.
C.C. the security administrator’s workload would the security administrator’s workload would increase.increase.
D.D. user access rights would be increased. user access rights would be increased.
Chapter 4: QuestionsChapter 4: Questions
Chapter 4: QuestionsChapter 4: Questions
10. During a review of system access rules, an IS 10. During a review of system access rules, an IS auditor noted that technical support personnel auditor noted that technical support personnel have unlimited access to all data and program have unlimited access to all data and program files. Such access authority is:files. Such access authority is:
A.A. appropriate, but all access should be logged. appropriate, but all access should be logged.B.B. appropriate, because technical support personnel appropriate, because technical support personnel
can access all data and program files.can access all data and program files.C.C. inappropriate, since access should be limited to a inappropriate, since access should be limited to a
need-to-know basis, regardless of position.need-to-know basis, regardless of position.D.D. Inappropriate, because technical support personnel Inappropriate, because technical support personnel
have the capacity to run the system.have the capacity to run the system.