CISA Question #50: Real Exam Question with Answer & Explanation

Question

Options

• AEnsure a change management process is followed prior to implementation.
• BIdentify whether any compensating controls exist.
• CDetermine whether another database administrator (DBA) could make the changes.
• DReport a potential segregation of duties (SoD) violation.

Explanation

Given a potential SoD violation where a DBA develops and executes changes, the auditor's first step is to identify if compensating controls are in place to mitigate the inherent risk.

Common mistakes.

• A. Ensuring a change management process is followed is important, but identifying compensating controls is a more immediate and fundamental step to assess the current risk level of the known SoD violation.
• C. Determining if another DBA could make the changes is a potential remediation, but it is premature before understanding if existing controls already mitigate the risk and to fully assess the current situation.
• D. Reporting a potential SoD violation is the ultimate goal, but it should be done after assessing the full risk landscape, including the presence of compensating controls, to provide a comprehensive and actionable finding.

Concept tested. Segregation of duties and compensating controls

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/compensating-controls

No community discussion yet for this question.