Evaluate Logical Access Controls And Authentication
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Logical Access Controls And Authentication
An auditor evaluating logical access controls selects a sample of active user accounts in a financial system and requests confirmation from the system owner that each account is still needed and appropriately privileged. This procedure tests:
Password complexity requirements for each sampled account.
Whether the users have completed security awareness training.
The operating effectiveness of the user access review (recertification) control.
Whether MFA is enabled for each sampled account.
Explanation
Confirming with system owners that active accounts are still needed and appropriately privileged is a user access recertification test - directly evaluating whether access review controls are operating effectively. Answer D is correct. Password complexity (A), training completion (B), and MFA status (C) are separate control areas.
Which of the following authentication methods provides the strongest protection against credential theft attacks such as phishing?
SMS-based one-time passwords sent to the user's mobile phone.
Security questions asking for personal information such as mother's maiden name.
Hardware security keys (FIDO2/WebAuthn) that provide phishing-resistant MFA by cryptographically binding authentication to the legitimate website.
A static password of at least 16 characters.
Explanation
FIDO2/WebAuthn hardware keys are phishing-resistant because authentication is cryptographically tied to the origin (website URL) - fake phishing sites cannot intercept the authentication. Answer D is correct. Long static passwords (A) can still be phished. SMS OTPs (B) can be intercepted via SIM swapping. Security questions (C) are easily researched.
An organization implements just-in-time (JIT) privileged access for system administrators. The primary benefit of JIT access is:
Privileged access is granted only when needed and for a defined duration, reducing the window of exposure if credentials are compromised.
JIT access automatically logs all administrator activities without requiring a separate audit log.
Administrators can access all systems simultaneously during incident response.
JIT access eliminates the need for multi-factor authentication for privileged accounts.
Explanation
JIT access minimizes standing privileged access - credentials are only active for specific tasks and time windows, dramatically reducing the risk if privileged credentials are stolen. Answer C is correct. JIT restricts, not broadens, concurrent access (A). MFA remains necessary (B). JIT is not a logging mechanism (D).
A company requires all privileged accounts (system admins, database admins) to use separate named accounts rather than sharing a single 'admin' account. The primary control objective of this requirement is:
To comply with a specific regulatory requirement mandating individual accounts.
To maintain individual accountability - actions performed under named accounts can be attributed to specific individuals in audit logs.
To ensure privileged users complete their work faster with dedicated accounts.
To improve system performance by distributing administrative load across multiple accounts.
Explanation
Named individual privileged accounts ensure that every administrative action is attributed to a specific person in audit logs, supporting accountability, forensics, and non-repudiation. Answer D is correct. Performance (A) and efficiency (B) are not the control objectives. While regulations may require named accounts (C), accountability is the fundamental security principle.
An organization implements an identity and access management (IAM) solution that automatically provisions and deprovisions user access based on HR system changes. The primary control benefit of this integration is:
Automated provisioning eliminates the need for access control policies.
Access changes are applied consistently and promptly when HR events occur (new hire, role change, termination), reducing orphaned accounts and access creep.
The IAM solution provides stronger encryption for all system passwords.
The IAM solution eliminates the need for any manual access reviews since provisioning is automated.
Explanation
HR-IAM integration ensures access lifecycle events are processed promptly and consistently - new accounts are created immediately, terminations are actioned on the last day, and role changes update access automatically. Answer B is correct. Manual reviews remain necessary to verify appropriateness (A). IAM manages access, not password encryption (C). Policies remain necessary to define access rules (D).
Which of the following authentication attack types is most effectively mitigated by implementing account lockout policies?
Man-in-the-middle attacks that intercept authentication sessions.
Phishing attacks that trick users into entering credentials on fake websites.
Credential stuffing attacks using previously breached username/password pairs.
Brute-force attacks that attempt many password combinations in rapid succession.
Explanation
Account lockout policies limit the number of failed login attempts before an account is temporarily locked - directly preventing brute-force attacks that rely on rapid trial-and-error. Answer A is correct. Phishing (B) is mitigated by MFA and awareness training. Credential stuffing (C) uses valid credentials and may bypass lockouts if attempts are distributed. MITM attacks (D) are mitigated by TLS and certificate validation.
A user in the finance department transfers to the IT department. Under a least-privilege access control framework, the most appropriate action is:
Remove the user's finance system access and provision new IT system access appropriate to the new role, following a formal access change request and approval.
Grant the user full IT administrative access immediately without reviewing their prior access.
Retain all prior access for 90 days as a transition period before deprovisioning.
Allow the user to retain all prior finance system access since they may occasionally consult on financial matters.
Explanation
Role changes require immediate access adjustment - removing old access that is no longer needed and provisioning new access for the current role. This prevents access creep and maintains least privilege. Answer C is correct. Retaining old access (A, D) violates least privilege. Granting full IT access without review (B) violates least privilege in the other direction.
An auditor testing authentication controls for a cloud-based financial application finds that MFA is not enforced for user accounts accessing the application from within the corporate network. The auditor should:
Accept this since corporate network access is inherently secure.
Flag this as a control gap - insider threats, compromised network access, or VPN breaches mean internal network location alone does not provide sufficient authentication assurance for a financial application.
Accept this since cloud applications do not require MFA for internal users.
Accept this if the VPN requires MFA.
Explanation
The corporate network is not a trusted authentication factor - insider threats, compromised devices on the network, and network breaches mean MFA should be required for all access to sensitive financial applications regardless of network location. Answer D is correct. Internal network location is not a substitute for MFA (A, B, C).
Which of the following represents the most comprehensive approach to evaluating the operating effectiveness of logical access controls?
Interviewing the IT security manager about the access control process.
Reviewing the access control policy document and confirming its approval date.
Combining user access listing analysis (population), recertification testing, new user provisioning testing, termination testing, and privileged access testing across the audit period.
Confirming that the IAM system was purchased from a reputable vendor.
Explanation
Comprehensive logical access control testing covers the full user lifecycle: who has access (population analysis), ongoing appropriateness (recertification), new grants, removals, and privileged account management - across the entire audit period. Answer A is correct. Policy review (B), interviews (C), and vendor reputation (D) provide design evidence but not operating effectiveness.
A financial services company uses behavioral analytics to detect anomalous user activity (e.g., accessing unusual amounts of data, logging in from new countries). This type of control is best classified as:
A preventive access control that blocks suspicious logins in real time.
A detective access control that identifies potentially compromised or malicious accounts through anomalous behavior patterns.
A corrective control that resets compromised user credentials.
A compensating control used when traditional MFA is not available.
Explanation
Behavioral analytics detects anomalies after access occurs - identifying suspicious patterns that may indicate compromised credentials or insider threats. This is a detective control. Answer C is correct. Behavioral analytics typically alerts rather than blocks immediately (A). It detects, not corrects (B). It is a primary detective control, not a compensating one (D).