An IS auditor reviewing access controls for a client-server environment should FIRST:

A.
evaluate the encryption technique.

B.
identify the network access points.

C.
review the identity management system.

D.
review the application level access controls.

Explanation:
A client-server environment typically contains several access points and utilizes distributed
techniques, increasing the risk of unauthorized access to data and processing. To evaluate the
security of the client server environment, all network accesspoints should be identified. Evaluating
encryption techniques, reviewing the identity management system and reviewing the application
level access controls would be performed at a later stage of the review.