PECB
LEAD-AUDITOR · Question #83
LEAD-AUDITOR Question #83: Real Exam Question with Answer & Explanation
Sign in or unlock LEAD-AUDITOR to reveal the answer and full explanation for question #83. The question stem and answer options stay visible for context.
Question
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify that the Statement of Applicability (SoA) contains the necessary controls. You review the latest SoA (version 5) document, sampling the access control to the source code (A.8.4), and want to know how the organisation secures ABC's healthcare mobile app source code received from an outsourced software developer. The IT Security Manager explains the received source code will be checked into the SCM system to make sure of its integrity and security. Only authorised users will be able to check out the software to update it. Both check-in and check-out activities will be logged by the system automatically. The version control is managed by the system automatically. You found a total of 10 user accounts on the SCM. All of them are from the IT department. You further check with the Human Resource manager and confirm that one of the users, Scott, resigned 9 months ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the authorised desktops from the local network in a secure area. You check the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott. The IT Security Manager explains that Scott is a very good software engineer, an ex-colleague, and a friend. He still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists. "We know Scott well and he passed all our background checks when he joined us. As such we didn't feel it necessary to agree any further information security requirements with him just because he is now an external provider". You prepare the audit findings. Select the three correct options.
Options
- AThere is a nonconformity (NC). Scott should have been advised of applicable information security
- BThere is a nonconformity (NC). The organisation's access control arrangements are not operating
- CThere is a nonconformity (NC). The IT Security manager did not make sure the user account for
- DThere is a nonconformity (NC). The operating procedures are not well documented. This
- EThere is a nonconformity (NC). The organisation does not have a documented procedure setting
- FThere is a nonconformity (NC). The organisation has failed to identify the security risks associated
- GThere is a nonconformity (NC). The SCM is open-source system software. It is not secured and
- HThere is a nonconformity (NC). The SCM will log the source code check-in/-out activities
Unlock LEAD-AUDITOR to see the answer
You've previewed enough free LEAD-AUDITOR questions. Unlock LEAD-AUDITOR for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.