An IS auditor is reviewing the physical security measures of an organization. Regarding the access card
system, the IS auditor should be MOST concerned that:

A.
nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of
identity.

B.
access cards are not labeled with the organization’s name and address to facilitate easy return of a lost
card.

C.
card issuance and rights administration for the cards are done by different departments, causing
unnecessary lead time for new cards.

D.
the computer system used for programming the cards can only be replaced after three weeks in the event
of a system failure.

Explanation:
Physical security is meant to control who is entering a secured area, so identification of all individuals is of
utmost importance. It is not adequate to trust unknown external people by allowing them to write down their
alleged name without proof, e.g., identity card, driver’s license. Choice B is not a concern because if the name
and address of the organization was written on the card, a malicious finder could use the card to enter the
organization’s premises. Separating card issuance from technical rights management is a method to ensure a
proper segregation of duties so that no single person can produce a functioning card for a restricted area within
the organization’s premises. Choices B and C are good practices, not concerns. Choice D may be a concern,
but not as important since a system failure of the card programming device would normally not mean that thereaders do not function anymore. It simply means that no new cards can be issued, so this option is minor
compared to the threat of improper identification.