Assess Logical And Physical Access Controls
Help Questions
CPA Information Systems and Controls (ISC) › Assess Logical And Physical Access Controls
Role-based access control (RBAC) differs from discretionary access control (DAC) in that RBAC:
Grants access based on the sensitivity label of the data, not the user's role.
Allows individual data owners to grant access to whoever they choose.
Assigns access rights based on predefined organizational roles, reducing the complexity of managing individual user permissions.
Allows users to define their own access levels within their assigned permissions.
Explanation
RBAC assigns permissions to roles (job functions) and users are assigned to roles, simplifying access management at scale. DAC allows resource owners to control access. Answer C is correct. Data owner discretion (A) describes DAC. Sensitivity labels (B) describe mandatory access control (MAC). User-defined access levels (D) also describe DAC.
During an IT audit, an auditor finds that a former employee's active directory account was not disabled after termination three months ago. This represents a failure of which control?
Change management controls - the account status change was not properly documented.
Encryption controls - the former employee's data should have been encrypted.
User access provisioning and deprovisioning controls - accounts must be promptly disabled upon termination to prevent unauthorized access.
Physical access controls - the former employee should have returned their access badge.
Explanation
Failure to disable a terminated employee's account is a deprovisioning control failure - a significant risk because the former employee retains access to systems and data. Answer A is correct. Encryption (B) and physical badge return (C) are separate controls. Change management (D) is unrelated to identity lifecycle.
Which of the following physical controls provides the strongest protection for a data center against unauthorized entry?
A sign-in log requiring all visitors to record their name and time of entry.
A mantrap (airlock) requiring biometric verification, with only one door open at a time, allowing entry of one person after identity is confirmed.
A security guard stationed at the building entrance.
Security cameras that record all entry and exit events.
Explanation
A mantrap with biometric verification is the strongest preventive physical control - it stops tailgating, requires individual identity verification, and physically prevents unauthorized entry. Answer D is correct. Security cameras (A) and sign-in logs (B) are detective controls. A security guard (C) is a human preventive control but is less reliable than an automated biometric mantrap.
An organization allows all employees to access the company's financial reporting system with full read/write privileges, regardless of their job function. The most significant risk of this access configuration is:
System performance may degrade due to too many simultaneous users.
Employees outside the finance function can view, modify, or delete sensitive financial data, violating the principle of least privilege and creating fraud and error risks.
The financial reporting system may not support the number of concurrent users.
The system may generate audit log entries for all user actions, consuming storage.
Explanation
Unrestricted access to financial systems violates least privilege and segregation of duties, enabling unauthorized modification of financial data by employees with no legitimate need for that access. Answer C is correct. Performance (A), user capacity (B), and log storage (D) are operational concerns, not the primary risk.
A company implements 'single sign-on' (SSO) technology for all its enterprise applications. Which of the following is the primary security consideration that must be addressed with SSO?
SSO increases the number of passwords employees must remember.
If an SSO account is compromised, the attacker gains access to all applications the user can access, making strong authentication for SSO critical.
SSO is only compatible with cloud-based applications.
SSO requires all applications to use the same database schema.
Explanation
SSO centralizes authentication, so a compromised SSO credential gives an attacker access to every connected application. This makes robust MFA and monitoring of SSO accounts critically important. Answer D is correct. SSO requires no database schema alignment (A). SSO reduces password burden (B). SSO works with on-premises and cloud applications (C).
Which of the following physical access controls is primarily detective in nature?
Locked server cabinets within the data center.
Security guards requiring badge verification before entry.
CCTV cameras recording all movement in and around the data center.
Biometric scanners required for entry to restricted areas.
Explanation
CCTV cameras record activity for later review - they detect and document security events but do not prevent unauthorized access by themselves (preventive controls do that). Answer C is correct. Biometric scanners (A), locked cabinets (B), and security guards (D) are all preventive physical controls.
Which of the following describes 'separation of duties' as it applies to logical access controls?
Ensuring that no single user has access rights that would allow them to complete a sensitive transaction from start to finish without another person's involvement.
Requiring two different passwords to access the same system.
Requiring employees to log out of systems when leaving their desk.
Dividing IT functions between multiple data centers to reduce single points of failure.
Explanation
Separation of duties in access control means access rights are structured so that completing high-risk transactions (e.g., creating and approving a payment) requires more than one person, reducing fraud risk. Answer D is correct. Two passwords for one system (A) is MFA. Physical redundancy (B) is availability. Screen locking (C) is a session control.
An IT auditor selects a sample of user accounts in a critical financial application and requests that the system owner confirm whether each user still requires their current level of access. This procedure tests which access control objective?
Authentication - verifying that users are who they claim to be when logging in.
Authorization appropriateness - confirming that access rights remain aligned with current job responsibilities.
Physical access - confirming users are authorized to enter the data center.
Encryption - ensuring sensitive data accessed by users is protected.
Explanation
This procedure tests whether authorized access rights remain appropriate - a core access control objective ensuring users only have access they currently need. Answer B is correct. Authentication testing (A) tests login controls. Encryption (C) and physical access (D) are separate control areas.
A company uses identity and access management (IAM) software to automate user provisioning and deprovisioning. The primary benefit of this automation is:
Eliminating the need for access control policies since automation enforces rules automatically.
Replacing the need for MFA by automating authentication.
Ensuring access is granted and revoked consistently, promptly, and with a complete audit trail, reducing the risk of orphaned accounts or access overprovisioning.
Allowing employees to self-approve their own access requests.
Explanation
IAM automation ensures that provisioning follows defined rules consistently, deprovisioning occurs immediately upon termination, and all actions are logged - reducing manual errors and orphaned accounts. Answer A is correct. Policies remain necessary to define rules (B). Self-approval violates authorization controls (C). IAM does not replace MFA (D).
Which of the following physical access controls is specifically designed to prevent 'tailgating' (piggybacking) into secured facilities?
Visitor sign-in logs at the reception desk.
Key-card access for all exterior doors.
Mantraps or turnstiles that allow only one person to pass through at a time after individual authentication.
Security cameras at all entry points.
Explanation
Tailgating - following an authorized person through a secured door - is specifically prevented by mantraps and turnstiles that physically permit only one person per authentication event. Answer D is correct. Cameras (A) detect tailgating after the fact. Sign-in logs (B) track visitors but do not prevent tailgating. Key-card doors (C) alone do not prevent one person from following another through.