PrepAway - Latest Free Exam Questions & Answers

Regarding the access card system, the IS auditor should be MOST concerned that:

An IS auditor is reviewing the physical security measures of an organization. Regarding the
access card system, the IS auditor should be MOST concerned that:

PrepAway - Latest Free Exam Questions & Answers

A.
nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show
no proof of identity.

B.
access cards are not labeled with the organization’s name and address to facilitate easy return
of a lost card.

C.
card issuance and rights administration for the cards are done by different departments,
causing unnecessary lead time for new cards.

D.
the computer system used for programming the cards can only be replaced after three weeks in
the event of a system failure.

Explanation:

Physical security is meant to control who is entering a secured area, so identification of all
individuals is of utmost importance. It is not adequateto trust unknown external people by allowing
them to write down their alleged name without proof, e.g., identity card, driver’s license. Choice B
is not a concern because if the name and address of the organization was written on the card, a
malicious finder could use the card to enter the organization’s premises. Separating card issuance
from technical rights management is a method to ensure a proper segregation of duties so that no
single person can produce a functioning card for a restrictedarea within the organization’s
premises. Choices B and C are good practices, not concerns. Choice D may be a concern, but not
as important since a system failure of the card programming device would normally not mean that
the readers do not functionanymore. It simply means that no new cards can be issued, so this
option is minor compared to the threat of improper identification.


Leave a Reply