During an audit of an internally developed, web-based purchase approval application, an IS auditor discovers that all business users share a common access profile. Which of the following is the MOST important recommendation for the IS auditor to include in the report?

Question

BlackTom AI · Accepted Answer

Principle of least privilege and role-based access control (RBAC) require that users be given only the permissions they need to perform their job duties; a single common profile for all business users violates that principle and creates segregation-of-duties, fraud, error, and compliance risks.

1. Relevant knowledge points and concepts
- Principle of least privilege: limit access to necessary functions only.
- Role-based access control (RBAC): create profiles/roles mapped to job functions.
- Segregation of duties (SoD): prevent one person from having conflicting privileges (e.g., request and approve).
- Compensating controls (logging, policies) are helpful but do not replace limiting access.

2. Step-by-step reasoning process
- Observation: all business users share one common access profile.
- Risk assessment: common profile likely grants excessive rights to many users, enabling unauthorized approvals, data modification, or concealment of actions.
- Priority: prevent misuse at the access-control level before relying on detection controls.
- Remediation approach: design distinct profiles/roles that correspond to job responsibilities, assign minimum permissions, implement RBAC, and enforce provisioning/approval workflows.

3. Intermediate implementation steps (practical breakdown)
- Inventory application functions and required privileges.
- Define job roles and map minimal privileges to each role.
- Modify the application to support multiple profiles/roles or implement RBAC.
- Create provisioning, approval and periodic access review processes.
- Test role assignments and enforce SoD rules.

4. Why the correct answer is correct
Developing additional profiles to restrict access directly addresses the core weakness (excessive, undifferentiated privileges) by enforcing least privilege and SoD in the application — the most effective preventive control.

5. Why the other options are less correct
- b (policy): Important, but a policy without technical enforcement still allows abuse. Policy is a governance control, not the immediate corrective technical control.
- c (logging/review): Detective control that helps identify issues but does not prevent misuse; secondary to preventing excessive access.
- d (attack surface reduction): Generic security improvement but not targeted at the principal problem of uniform excessive user privileges.

6. Conclusion
Implementing additional application profiles mapped to job roles (option a) is the most important recommendation. This matches and confirms the provided correct answer: a. Develop additional profiles within the application to restrict user access per the job profiles.

During an audit of an internally developed, web-based purchase approval application, an IS auditor discovers that all business users share a common access profile. Which of the following is the MOST important recommendation for the IS auditor to include in the report?单项选择题

类似问题

What are user permissions?

What are user permissions?

In order to achieve the system protection, a process should access

A company recently hired you as a system administrator. You notice that some accounts that were set up for temporary employees who are no longer working at the company are currently enabled. Which of the following is the BEST thing to do?

What are user permissions?

An employee, Alex, needs access to a critical database containing sensitive project files. Alex's role requires read-only access to specific project folders, not full control over the entire database. What security principle is most relevant?

An auditor is reviewing whether employees who accessed the HR database last month used that access only for approved purposes. This review is most closely related to the data security principle of _____.

更多留学生实用工具

智能学习助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单