CISA - Certified Information Systems Auditor Logical Access Controls Questions and Answers

Question 1

An IS auditor discovers that a shared administrator account is used by several network engineers to manage critical infrastructure.
Which of the following is the GREATEST risk associated with this practice?

Accepted Answer

Inability to trace specific actions to an individual engineer.

Answer

Increased likelihood of password compromise due to social engineering.

Answer

Complexity in managing access when an engineer changes roles.

Answer

Violation of the principle of 'need-to-know'.

Question 2

An organization wants to implement a logical access model where permissions are assigned to groups based on job functions, rather than to individual users. Which of the following access control models BEST meets this requirement?

Accepted Answer

Role-Based Access Control (RBAC)

Answer

Discretionary Access Control (DAC)

Answer

Mandatory Access Control (MAC)

Answer

Attribute-Based Access Control (ABAC)

Question 3

During a review of identity and access management, an IS auditor notes that the organization has not performed a user access review for over a year, despite significant employee turnover and role changes. The PRIMARY risk this creates is:

Accepted Answer

the accumulation of excessive access rights, known as privilege creep.

Answer

inefficient onboarding of new employees.

Answer

noncompliance with software licensing agreements.

Answer

increased help desk costs for password resets.

Question 4

Which of the following is the PRIMARY security benefit of implementing a Single Sign-On (SSO) solution across an organization?

Accepted Answer

It reduces the attack surface by decreasing the number of stored credentials.

Answer

It improves the user experience by eliminating the need for multiple logins.

Answer

It centralizes the administration of user accounts.

Answer

It transfers the risk of authentication to a third-party vendor.

Question 5

An IS auditor is evaluating controls over privileged accounts in a large enterprise. Which of the following is the MOST effective control for mitigating the risks associated with administrator access?

Accepted Answer

Implementing a Privileged Access Management (PAM) solution with session monitoring.

Answer

Enforcing a complex password policy for all administrator accounts.

Answer

Conducting annual background checks on all system administrators.

Answer

Requiring all administrators to sign a nondisclosure agreement (NDA).

Question 6

A financial institution is designing the logical access controls for its new online banking platform. To provide strong assurance of user identity, which of the following should be the MINIMUM requirement for customer authentication?

Accepted Answer

Multi-factor authentication (MFA).

Answer

A complex password that changes every 90 days.

Answer

A user ID combined with a security question.

Answer

Biometric authentication, such as a fingerprint scan.