CISA Domain 5

What is used as the basis for designing and developing logical access controls?

The Information System Security Policy.

(The security policy defines rules for authentication, authorization, password standards, remote access, and data protection. Logical access controls are designed to enforce these rules so that only authorized users access systems and data. example: if the policy requires multi-factor authentication for remote access, systems must enforce MFA.)

Who is accountable for the appropriate maintenance of security controls over information assets?

Data owners and system owners.

(Data owners ensure proper protection and usage of data, while system owners ensure systems enforce security controls. example: the finance head ensures financial data access is restricted, while IT ensures access controls are implemented.)

Who should be made accountable for maintaining security controls over information assets?

Data owners and system owners.

What is the first step in data classification?

Establishing data ownership.

(Ownership must be defined before classification because the owner decides sensitivity level, access permissions, and protection requirements. example: HR owns employee records and classifies them as confidential.)

What is the best method to provide access to a user?

Authorization from the data owner and implementation of user authorization tables by the administrator.

(The data owner approves access based on business need, and the system administrator implements it in the system. example: a manager approves access to a sales database and IT updates role permissions.)

Responsibility for granting access to data resides with whom?

Data owner (with support from the security officer).

(The data owner decides who needs access; the security team ensures controls are properly implemented. example: marketing data owner approves analyst access; IT enforces access controls.)

Who is responsible for reviewing users' access rights?

Data owner.

(Periodic review ensures access remains appropriate and prevents privilege creep. example: quarterly review removes access for employees who changed roles.)

What is an IT security baseline?

Minimum security requirements.

(A baseline defines minimum security settings such as password length, patch levels, encryption requirements, and access controls. example: requiring antivirus, firewall, and OS patching on all systems.)

What should an IS auditor first ensure when reviewing an IT security baseline?

Sufficiency and adequacy of the baseline.

(The auditor verifies whether baseline controls adequately protect systems against threats and comply with policies and regulations. example: ensuring baseline includes encryption for sensitive data and strong authentication.)

Which of the following standards focuses specifically on the security requirements for organizations handling payment card data?

A) HIPPA

B) GDPR

C) PCI DSS

D) ISO/IEC 27701

C) PCI DSS

PCI DSS is a set of security requirements to protect payment account data. Any business that stores, processes, or transmits credit card information must adhere to its 12 core requirements to prevent data breaches and card fraud.

What is data privacy?

Privacy means individuals have control over how their personal information is collected, used, stored, shared, and protected.

Personal information includes names, contact details, financial information, health records, biometric data, and identification numbers. Organizations must ensure confidentiality, prevent unauthorized access, and avoid misuse. Failure to protect privacy can lead to identity theft, fraud, reputational damage, regulatory penalties, and loss of customer trust. For example, if a hospital leaks patient medical records, it violates privacy rights and legal obligations.

What rights do individuals have regarding their personal information?

Individuals have the right to know why their data is collected, how it will be used, and who will receive it. Data must not be used beyond its original purpose without consent.

For example, if a customer provides an email address for order confirmation, using it later for marketing without consent violates privacy rights.

How long should personal information be retained?

Only as long as necessary.

(This principle is called data retention limitation. Organizations should retain personal data only for the period required to fulfill the purpose for which it was collected, meet legal obligations, or resolve disputes. Retaining data longer than necessary increases breach risk and legal exposure. A retention schedule should define timelines and secure deletion methods. For example, tax records may be retained for statutory requirements, but customer verification documents should be deleted once retention requirements expire.)

What safeguards must organizations implement for personal information?

Organizations must implement technical, administrative, and physical controls to protect personal data from unauthorized access, alteration, disclosure, or loss. These safeguards include encryption, multi-factor authentication, access controls, network security, monitoring, data masking, secure backups, and employee awareness training. Physical protections such as restricted access areas and secure disposal are also important. Strong safeguards reduce the risk of data breaches and regulatory penalties.

What is required when third-party service providers process personal data?

Appropriate governance mechanisms over third parties.

(When vendors or service providers process personal data, the organization remains responsible for protecting it. Governance mechanisms include vendor risk assessments, due diligence, data processing agreements, confidentiality clauses, security requirements, audit rights, and continuous monitoring. Contracts should clearly define data usage, protection responsibilities, breach notification requirements, and data return or destruction obligations. This reduces risks arising from outsourcing and third-party access.)

What must organizations comply with during cross-border data transfer?

Applicable data protection regulations.

An organization wants to use its existing client database to promote a new product. What is the major concern for an IS auditor?

Using personal data beyond its original collection purpose violates the purpose limitation principle. If customer data was collected for service delivery, using it for marketing without consent may breach privacy regulations. The auditor must verify whether consent was obtained, privacy notices included marketing use, and opt-out mechanisms exist.

To determine whether an organization complies with privacy requirements, what should an IS auditor review first?

Legal and regulatory requirements.

(An IS auditor must first identify applicable laws, regulations, contractual obligations, and industry standards governing privacy. This establishes the compliance baseline. Only after understanding these requirements can the auditor evaluate policies, controls, and practices. Examples include national privacy laws, sector regulations, and international data protection frameworks.)

What is the purpose of physical controls?

To protect information system processing facilities through physical means such as locks, fences, CCTV, and access-restricting devices.

What are environmental controls?

Measures used to protect systems, buildings, and infrastructure from physical environmental threats.

What is a blackout?

A complete loss of electrical power.

What is a brownout?

A severe reduction in voltage that may damage equipment or cause strain on electronics.

What are power sags, spikes and surges?

Sag is a rapid decrease in voltage level. Spikes and surges are rapid increases in voltage level. These may result in data corruption in the server or the system.

What protects against power sags, spikes, and surges?

Properly placed protectors. Surge and spike devices help to protect against high-voltage power bursts.

What is the most effective control for short-term reductions in electrical power and what does it do?

A power line conditioner. A power line conditioner is a device intended to improve the quality of power that is delivered to electrical equipment. It compensates for the peaks and valleys in the power supply. When the electrical supply is low, it provides its own power and maintains a constant voltage.

What is electromagnetic interference (EMI)?

Electrical interference caused by storms or noisy equipment that may damage systems or corrupt data.

What is the primary purpose of a UPS?

An uninterruptible power supply (UPS) can help to support an organization from interruptions that last from a few seconds to 30 minutes.

What is the best solution for long-term power outages?

An alternative power source such as a generator.

What are the best practices for the maintenance of an alarm control panel?

• It should be accessible to security personnel at all times.

• It should be placed in a weatherproof box.

• It should have electrical power from a dedicated and separate circuit.

• It should be placed in adherence to local regulations and requirements.

What are the best practices for the maintenance of water and smoke detectors?

• In the computer room, water detectors should be placed under raised floors and near drain holes.

• Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and below the raised computer room floor.

• The location of the water and smoke detector should be highlighted for easy identification and access.

• Power supply should be sufficient

• These devices should be tested at regular intervals.

Why is water and smoke detector location important?

To provide the earliest possible warning of fire or water damage.

What should organizations have in place if alarms activate?

A designated employee responsible for remedial actions and documented standard operating procedure(SOP).

Where should emergency evacuation plans be posted?

Throughout the facility.

How should electrical wiring be protected?

By placing it in fire-resistant panels and conduits. This conduit should ideally lie under the fire-resistant raised computer room floor.

What is the objective of physical access control?

To restrict and control access to premises, buildings, rooms, and data centers.

What are the main types of physical access controls and their key characteristics?

Bolting locks: Traditional key locks; keys must be strictly controlled and not duplicated.

Combination (cipher) locks: Use a keypad/dial code; codes should be restricted to authorized users and changed regularly, especially after employee termination or transfer.

Electronic locks: Use magnetic/chip access cards; cards are difficult to duplicate and easy to deactivate if lost or when an employee leaves. Card issuance and management must be controlled.

Biometric locks: Use fingerprints, retina scans, voice, or hand geometry; commonly used for highly sensitive facilities.

What physical security measures help prevent unauthorized access and improve facility security?

Deadman door (mantrap): Two-door system where the second door opens only after the first closes; prevents tailgating/piggybacking.

Identification badges: Employees must display badges; visitor badges should be distinct, and visitors must be escorted.

CCTV cameras: Installed at strategic locations; recordings should typically be retained for about 3 months.

Workstation locks: Prevent unauthorized use of high-sensitivity computers.

Facility concealment: Sensitive areas (e.g., computer rooms) should not be visibly identified from outside the building.

What protects against short-term power fluctuations (sags and brownouts)?

Power line conditioner.

What protects against temporary power outages lasting minutes?

UPS

What protects against extended power outages?

Generator/alternative power source.

What physical access method provides the strongest assurance of identity?

Biometric access controls.

What physical control best prevents tailgating?

Deadman door (mantrap).

What are the main types of fire suppression systems?

The main types include:

• Water-based (Wet Pipe)

• Dry Pipe

• Halon

• FM-200

• Argonite

• CO₂ systems

Explain a Water-Based (Wet Pipe System)

• Wet pipe systems keep water constantly stored in sprinkler pipes under pressure. When heat activates a sprinkler head, water is discharged immediately.

• These systems are highly reliable and respond quickly, making them suitable for office buildings and standard facilities.

• However, they pose a risk of water damage to IT equipment if leaks or accidental discharge occur.

Explain a Dry Pipe System

• Dry pipe systems store pressurized air or nitrogen in the pipes instead of water. When a sprinkler head activates, air pressure drops, allowing water to enter the pipes and discharge.

• These systems are ideal for cold environments where water could freeze

• They are less effective and reliable than a water based/wet pipe system

• They reduce the risk of accidental water damage.

Explain a Halon System

• Halon systems suppress fire by interrupting the chemical reaction of combustion.

• They leave no residue and do not damage electronic equipment.

• However, Halon is harmful to the ozone layer and has been phased out or banned in many countries.

• Because it can create unsafe breathing conditions, alarms and evacuation delays are required before discharge. Audible alarm and discharge delay to allow evacuation.

Explain a FM-200 System

• FM-200 is a clean agent gas that extinguishes fire by absorbing heat and stopping combustion.

• It is colorless, odorless, leaves no residue,

• Is safe for occupied areas when used properly.

• It is widely used in data centers and server rooms because it protects electronic equipment without causing damage

Explain an Argonite System

• Argonite is an inert gas mixture composed of 50% argon and 50% nitrogen. It suppresses fire by reducing oxygen levels to a point where combustion cannot continue.

• It is environmentally friendly and non-toxic, BUT high concentrations may cause suffocation if evacuation is delayed

Explain a CO₂ (Carbon Dioxide) System

• CO₂ systems extinguish fire by displacing oxygen in the air.

• They are highly effective and leave no residue, making them suitable for protecting equipment.

• However, they are dangerous to human life in enclosed spaces and are therefore used mainly in unmanned facilities such as generator rooms and industrial environments

Which is more effective and reliable: water-based or dry pipe?

Water-based (wet pipe) systems are more effective and reliable.

(Wet pipe systems respond immediately because water is already present in the pipes. Dry pipe systems have a slight delay while water fills the pipes. Fewer mechanical components also make wet pipe systems less prone to failure.)

What is the disadvantage of a water-based system?

Risk of water damage if pipes leak or break.

(Since water is constantly present, accidental leaks, pipe bursts, or system malfunctions can cause damage to IT equipment, documents, and electrical systems. This risk is a major consideration in data centers.)

What is the advantage of a dry pipe system?

Reduced risk of water damage from pipe leaks.

(Because water is not stored in the pipes, accidental leakage is less likely to cause damage. This makes dry pipe systems suitable for environments where equipment is highly sensitive to water damage.)

Which gas-based suppression systems are considered safer for human presence?

FM-200(used widely in data centers) and Argonite (with caution).

(These gases are designed to suppress fire while minimizing risk to humans. They do not significantly reduce oxygen to dangerous levels when used properly, making them suitable for occupied areas such as data centers and control rooms.)

Between FM-200 and Argonite, which is safer for humans?

FM-200 is safer.

(FM-200 extinguishes fire by absorbing heat and interrupting the combustion process rather than reducing oxygen. Argonite is non-toxic but reduces oxygen levels, which may cause suffocation in high concentrations if evacuation is delayed.)

Which fire suppression gases are NOT safe for human life?

Halon and CO₂.

(These gases suppress fire by reducing oxygen levels, which can create life-threatening conditions in enclosed spaces. Their use requires strict safety controls and evacuation procedures.)

Why is Halon banned?

It damages the ozone layer.

(Halon is an ozone-depleting substance and has been phased out under international environmental agreements such as the Montreal Protocol. Existing systems may still be maintained, but new installations are restricted in many countries.)

What safety measure must be implemented before Halon discharge?

Audible alarm and discharge delay to allow evacuation.

(Because Halon can create unsafe breathing conditions, systems must provide warning alarms and time delays to ensure personnel can exit safely before gas release.)

What are the characteristics of FM-200?

Colorless, odorless, safe for occupied areas, environmentally acceptable, and a commonly used gaseous fire suppression agent.

(FM-200 extinguishes fire by absorbing heat and interrupting combustion without significantly reducing oxygen levels. It leaves no residue and does not damage electronic equipment, making it ideal for data centers and server rooms.)

What are the characteristics of Argonite?

50% Argon and 50% Nitro­gen. It is used gaseous fire suppression agent. It is environmentally friendly and non-toxic but may cause suffocation in high concentrations.

What are the characteristics of CO₂?

It replaces oxygen in the air. It poses serious risk to human life in enclosed spaces. They are commonly used in areas without human occupancy, such as engine rooms, generator rooms, and unmanned data centers.

Which fire suppression system is most environmentally friendly and effective?

Dry pipe systems

Which of the following is a major risk of electromagnetic emission from a computer room?

A) It may damage the storage device

B) It may disrupt the processor functionality

C) It may impact the health of employees

D) It may be detected and displayed

D) It may be detected and displayed. A major risk of electromagnetic emission is that it may be detected and displayed by the use of sophisticated devices and thus there is possibility of unauthorized data. Most of the electromagnetic emissions are of low frequency so there is no impact to the health of the storage device or processor or employees.

Which of the following environmental controls is most effective for preventing static electricity from damaging sensitive electronic equipment?

Maintaining appropriate humidity levels in the data center

What is the risk associated with the use of an access card for entering a computer room?

A) The risk of an unauthorized person entering behind the authorized person

B) The risk of using duplicated access cards

C) The risk of absence of an audit trail

D) The risk of delay in deactivating the access of a terminated employee

A) The risk of an unauthorized person entering behind the authorized person. The risk with access cards is tailgaiting or piggybacking

The most effective control over visitor access to a data center is:

A) To escort the visitor

B) To issue a visitor’s badge

C) To frisk the visitor for storage media

D) To maintain a visitor’s register

A) To escort the visitor. This ensures they follow the rules of the data center.

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication service that allows a user to use one set of login credentials (user ID and password) to access multiple applications.

What are the advantages of Single Sign-On?

• Multiple passwords not required(Simplifies password management + Encourages stronger password selection)

• improves administrators’ ability to manage user accounts

• reduces administrative overhead cost in resetting passwords due to lower number of tickets about passwords

• reduces login time

What is a major risk of SSO?

SSO acts as a single authentication point for multiple applications and is considered a single point of failure. If the single credential is compromised, all connected applications can be accessed.

What is another operational challenge of SSO?

Integration across multiple platforms. Supporting all major operating system environments can be difficult.

(Organizations often use a mix of legacy systems, cloud platforms, mobile devices, and different operating systems. Ensuring seamless authentication across all environments requires integration effort, compatible protocols, and continuous maintenance.)

What is the most important control for SSO?

Implementation of a strong password policy.

(Since one credential grants access to multiple systems, it becomes a high-value target for attackers. Strong password policies — including complexity requirements, rotation rules, account lockout thresholds, and prevention of password reuse — reduce the likelihood of compromise.)

How can the risk of unauthorized access in SSO be controlled?

Using strong authentication mechanisms such as Kerberos.

(Strong authentication protocols protect against credential theft and replay attacks. Implementing multi-factor authentication (MFA) further reduces the risk of unauthorized access.)

What is Kerberos?

One example of SSO is Kerberos. It is a ticket based mutual authentication protocol used in SSO environments where both the user and the server authenticate each other. It’s major benefit is it prevents password transmission and replay attacks.

(Kerberos is a secure, ticket-based authentication protocol designed to verify identities over insecure networks. Instead of transmitting passwords, it uses encrypted tickets issued by a trusted Key Distribution Center (KDC). When a user logs in, Kerberos provides a ticket that proves identity to other systems without resending credentials. It also supports mutual authentication, meaning the user verifies the server and the server verifies the user, preventing impersonation attacks. Kerberos reduces the risk of password interception, replay attacks, and unauthorized access, making it highly suitable for enterprise SSO environments.)

In SSO, unauthorized access:

A) will have major impact

B) will have minor impact

C) is not possible

D) is highly possible

A) will have major impact

Risk of unauthorized access with SSO can best be controlled by:

Kerberos

What are the three factors of authentication?

Something you kPassword and PIN — Single, Two, or Three Factor?now (Knowledge-based)

• Examples: Password, PIN, security questions

• Relies on information the user remembers.

• Most common authentication method but also weakest if passwords are weak or shared

Something you have (Possession-based)

• Examples: Token, smart card, One-Time Password (OTP), mobile authentication device

• Relies on a physical object the user possesses

• Even if a password is stolen, access is not possible without the device

Something you are (Biometric-based)

• Examples: Fingerprint, iris scan, voice recognition, facial recognition

• Relies on unique biological traits.

• Biometrics are difficult to duplicate but may raise privacy concerns and require specialized hardware.

Password and PIN — Single, Two, or Three Factor?

Single-factor authentication.

(Both password and PIN belong to the “something you know” category. Using multiple credentials from the same category does not increase authentication strength.)

Password and Token — Single, Two, or Three Factor?

Two-factor authentication.

Password = something you know

Token = something you have

(Combining two different authentication factors significantly improves security. Even if the password is stolen, access cannot occur without the token.)

Fingerprint and Voice Recognition — Single, Two, or Three Factor?

Single-factor authentication.

(Both fingerprint and voice recognition are biometric factors — “something you are.” Using two biometrics does not count as multi-factor because they belong to the same category.)

Password + Access Card + Fingerprint — Single, Two, or Three Factor?

Three-factor authentication.

Password = something you know

Access card = something you have

Fingerprint = something you are

(This provides the highest level of authentication assurance because all three factor categories are used.)

What is the most effective method to prevent unauthorized access to a system administration account?

Two-factor authentication.

(Admin accounts have elevated privileges. Requiring a second authentication factor significantly reduces the risk of unauthorized access even if passwords are compromised.)

What is the most effective method to ensure only authorized users can connect to a system?

Two-factor authentication.

(It adds an additional verification layer beyond passwords, preventing unauthorized access due to stolen credentials.)

An organization implements two-factor authentication using a token and a PIN. What is an important rule for the security policy?

The PIN should not be written down anywhere.

(Writing down the PIN defeats the purpose of two-factor authentication. If both the token and PIN are compromised, security is lost.)

What is the objective of an IS auditor when reviewing logical access controls?

To determine whether access is granted and controlled according to approved authorizations.

(Logical access controls ensure that only authorized users can access systems, applications, and data. An IS auditor verifies that access is granted based on proper approval, business need, and job responsibilities. The auditor reviews access request forms, approval workflows, role-based permissions, periodic access reviews, and termination procedures. The goal is to confirm that the principle of least privilege is enforced and that unauthorized access risks are minimized.)

How can compliance with a password policy be best ensured?

By using automated password management tools.

What is the most important consideration when reviewing system controls?

Alignment of security requirements with performance requirements.

(Security controls must protect systems without disrupting business operations. Excessive controls may slow down system performance and reduce productivity, while weak controls increase security risk. The objective is to achieve a balance between security, usability, and performance to ensure both protection and operational efficiency.)

What is the best way to permanently erase data?

First preference: Physical destruction

If not feasible: Demagnetization (degaussing)

(Physical destruction, such as shredding or crushing storage media, ensures data cannot be recovered. Degaussing removes the magnetic field from storage devices, making data unreadable. These methods are critical when disposing of sensitive media to prevent data leakage, industrial espionage, or regulatory violations.)

What is the objective of using a naming convention?

To group similar assets under common naming standards in order to implement efficient access rules and simplify security administration.

(Standardized naming conventions help administrators manage systems and resources efficiently. They enable consistent application of security policies, simplify access control configuration, and reduce administrative errors. For example, grouping servers by department or function allows security rules to be applied to entire groups rather than individual assets.)

What is the first step in implementing logical access controls?

Preparing an inventory of information system resources.

(Organizations must identify all systems, applications, databases, and network resources requiring protection. Without a complete inventory, access controls may be incomplete or improperly configured. This step ensures all critical assets are protected and access control policies can be applied consistently.)

What is the most effective control against identity theft?

Two-factor authentication.

(Two-factor authentication requires users to provide two different authentication factors, such as a password and a token. Even if credentials are stolen, unauthorized access is prevented without the second factor. This significantly reduces identity theft risks and unauthorized account access.)

What should be reviewed to determine access levels available to different users?

System file configuration.

(System configuration files define user roles, permissions, and access rights. Reviewing these settings helps auditors verify whether access privileges align with organizational policies and job responsibilities.)

Write and edit access should always be prohibited for which files?

Log files (especially logs for suspected transactions).

(Log files provide critical evidence for security monitoring, audits, and forensic investigations. If users can modify or delete logs, they may conceal unauthorized activities or fraud. Protecting log integrity is essential for accountability and incident response.)

What is a major aspect when reviewing telecommunication access control?

Authorization and authentication processes.

(These processes ensure only authorized users and devices can access communication systems and networks. Strong authentication and authorization prevent unauthorized connections, interception, and misuse of communication channels.)

What increases the effectiveness of Discretionary Access Control (DAC)?

Alignment with Mandatory Access Control (MAC).

(DAC allows resource owners to grant access, while MAC enforces system-wide security policies. Combining both strengthens security by preventing users from granting permissions that violate organizational security policies.)

What is a major risk if there is no authorization process?

Unauthorized access and inability to control role-based access.

(Without authorization procedures, users may obtain excessive privileges, increasing the risk of fraud, errors, and data misuse. Proper authorization ensures access is granted based on job roles and business requirements.)

What is the best control for providing access rights to outsourced vendors?

Temporary user accounts with defined roles and expiration dates.

What does a default deny access control policy do?

Allows approved traffic and rejects all other traffic.

(Default deny is a security best practice. Only explicitly authorized access is allowed, while all other access attempts are blocked. This minimizes the attack surface and prevents unauthorized or unknown traffic from entering systems.)

What does a default allow access control policy do?

Denies specific traffic and allows all other traffic.

(This approach allows access unless explicitly blocked. It is less secure because unrecognized or new threats may be permitted by default. It increases the risk of unauthorized access.)

What is the most effective way to prevent unauthorized access to an unattended PC?

Password-protected screensaver.

(Auto-lock screensavers ensure that systems are locked when unattended. This prevents unauthorized users from accessing systems left open in offices, shared spaces, or public areas.)

Which of the following is considered a major risk in an organization’s logical access control procedure?

A) The sharing of passwords

B) Password files are not protected

C) Delay in the deactivation of a resigned employee’s login access

D) Centralized issuance of logon IDs

B) Password files are not protected. Unprotected password files pose a mahor risk as unauthorized access of these files can expose the organization to major risks. Password files should always be encrypted.

The availability of printing options for all users increases the risk of?

A) Data confidentiality

B) Data integrity

C) Data availability

D) Reduced productivity

A) Data confidentiality. Difficult of control printing of confidential documents.