I have written a question that usually confuses CISA exam students regarding access control. If you are not from an IT background, this question may appear very confusing to you as well.
Ransom’s Question on 19/03/2017 – User Access Review
An IS auditor has been assigned to perform and general computer controls (GCC) review for a media organisation. The IS auditor notes that user access (username and password) are shared. The highest risk resulting from this practice is that:
Select an answer:
A – an unauthorised and malicious user may use the shared ID to gain access vital system resources.
B – user access management is time-consuming and there are limited IT administrators.
C – user accountability is not established.
D – passwords are easily guessed, they include the year of birth of users.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question.
K = Key – The key phrase here is “highest risk”. This question is about risk exposure. There are two factors that we should look at this key, the highest risk is the risk whose likelihood of it happening is high and whose impact is also high.
Below is a picture of the process. This illustration will help you in quickly identifying the highest risk area.
E = Eliminate two options – If we go through the options above, we can easily eliminate answers B and D.
Option B says “user access management is time-consuming and there are limited IT administrators”. The absence of sufficient to manage user access is a risk but it is not one of the highest risks if we consider the other risks mentioned. This response is thus incorrect.
Option D says “passwords are easily guessed, they include the year of birth of users“. This option is a risk but not the highest risk since a hacker needs to know the personal information of the users in order to be able to access the system.
C = Choose the correct answer that lines up with the KEY – We are thus left with options A and C to choose from.
Option A says “unauthorised and malicious user may use the shared ID to gain access vital system resources”. In order to determine of this is the highest risk, we need to look at option C.
Option C says “user accountability is not established”. Users’ accountability risk precludes all other forms of risks mentioned above. The mere fact that is the system access is bridged and we are unable to identify the user and can’t hold anyone accountable is the highest risk. Even if a hacker obtains the user name and password, we should be able to know which user’s access was bridged and hold the user accountable for not meeting password rules.
The correct answer is thus C – to “user accountability is not established”. It agrees with the “key” to identify the highest risk.