Home / Isaca / CISA

Question list

List of questions

Question 1

(0)

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Question 2

(0)

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Question 3

(0)

The PRIMARY benefit of automating application testing is to:

Question 4

(0)

Which of the following BEST addresses the availability of an online store?

Question 5

(0)

Which of the following is the BEST way to prevent social engineering incidents?

Question 6

(0)

The PRIMARY purpose of a configuration management system is to:

Question 7

(0)

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Question 8

(0)

Which of the following BEST enables alignment of IT with business objectives?

Question 9

(0)

Which of the following are used in a firewall to protect the entity's internal resources?

Question 10

(0)

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Question 320 - CISA discussion

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

IT operator

System administration

Emergency support

Database administration

Suggested answer: C

Explanation:

Segregation of duties (SOD) is a core internal control and an essential component of an effective risk management strategy.SOD emphasizes sharing the responsibilities of key business processes by distributing the discrete functions of these processes to multiple people and departments, helping to reduce the risk of possible errors and fraud1.

SOD is especially important in IT security, where granting excessive system access to one person or group can lead to harmful consequences, such as data breaches, identity theft, or bypassing security controls2.SOD breaks IT-related tasks into four separate function categories: authorization, custody, recordkeeping, and reconciliation1. Ideally, no one person or department holds responsibility in multiple categories.

In a role-based environment, where access privileges are granted based on predefined roles, it is important to ensure that the roles are designed and assigned in a way that supports SOD. For example, the person who develops an application should not also be the one who tests it, deploys it, or maintains it.

Therefore, an application developer should not be assigned the roles of IT operator, system administration, or database administration, as these roles may conflict with their development role and create opportunities for misuse or abuse of the system.The only role that may be assigned to an application developer without violating SOD is emergency support, which is a temporary role that allows the developer to access the system in case of a critical issue that requires immediate resolution3. However, even this role should be granted with caution and monitored closely to ensure compliance with SOD policies.

ISACA, CISA Review Manual, 27th Edition, 2019, page 2824

ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 1066692

Hyperproof Blog, Segregation of Duties: What it is and Why it's Important1

Advisera Blog, Segregation of duties in your ISMS according to ISO 27001 A.6.1.23

Show Answer

asked 18/09/2024

Janson Chong

26 questions

Your answer: A B C D

0 comments

Sorted by