Exam CAS-004 topic 1 question 23 discussion

If you receive a report that your application has a vulnerability and there is suspicious activity in your logs then your FIRST step would be to investigate the logs to see if you have already been compromised and deal with that issue. THEN you can move on to other steps.

D. Working with procurement and creating a requirements document to select a new IAM system/vendor If the security team at a university has received a report from an outside auditor indicating that the institution's homegrown identity management system is not consistent with best practices and leaves the institution vulnerable, the team should consider replacing the system with a more secure and robust solution. To do this, the security team should work with procurement to create a requirements document that outlines the necessary capabilities and features of a new identity and access management (IAM) system or vendor. This may include researching and evaluating potential solutions, testing and piloting new systems, and negotiating contracts with vendors.

A. Investigating a potential threat identified in logs related to the identity management system-> The external auditor produced a report so if there's logs involved, that's in the report so no reason to do it again B. Updating the identity management system to use discretionary access control->this was given already as temporary students have only access to certain areas, not like permanent students C. Beginning research on two-factor authentication to later introduce into the identity management system->It's a badge, I've never seen MFA in a badge. If they refer to access the identity management system, that's different, but it wasn't mentioned what the report says D. Working with procurement and creating a requirements document to select a new IAM system/vendor -> We don't know what the report says, so given the other answers aren't good to tick, we assume the "not consistent with best practices" is not possible to fix with this vendor, so we have to evaluate other options, however the answer says what to do first, well there's no multiple things to do with the given options...

Keyword: First D is a long term project, not a solution for immediate response.

Keyword is homegrown.

This is a trick question, but if you think of it, they received a report from an auditor, thus, they were not able to see the alerts themselves, so there would be no logs to investigate. I did consider the answer A, but D makes more sense.

Answer: D. Working with procurement and creating a requirements document to select a new IAM system/vendor Explanation: The security team should first address the root cause of the problem, which is the homegrown identity management system that is not consistent with best practices in the security field. This leaves the institution vulnerable. Therefore, the first step should be to work with procurement and create a requirements document to select a new Identity and Access Management (IAM) system/vendor. This will ensure that the new system is in line with the best practices in the security field and will reduce the institution's vulnerability. The other options, such as investigating a potential threat, updating the system to use discretionary access control, or researching two-factor authentication, are all important but they are secondary steps that should be taken after addressing the main issue.

Audit doesn't identify threats, they issue findings, so not a.

I initially thought "D", but I've been convinced it's "A"-- when you go to procurement the first question they'll ask is "Why do you need to buy this?" and you'll say "The auditor said there's a potential vulnerability" and they'll say "Well has it ever actually been exploited???" and you'll go "uhh...ummm.. I mean... the auditor just said it's there." and they'll say "That's nice, junior. How about you go tell me what our actual risk level is, or if there's ever been an issue, before daddy gets out his wallet and slips you some cash." Or at least that's what they'll say if you haven't don "A" first.

Given the information provided, the FIRST recommendation for the security team should be: D. Working with procurement and creating a requirements document to select a new IAM system/vendor

D About A - Who says there are logs??

A. Investigating a potential threat identified in logs related to the identity management system, as cybersecurity the first thing you do is verify if it is true, then send request to management for approval of budget then to the procurement team.

Given that the outside auditor has reported that the homegrown identity management system is not consistent with best practices and leaves the institution vulnerable, it indicates a fundamental issue with the existing system. In such cases, it's prudent to consider the procurement of a new Identity and Access Management (IAM) system that aligns with industry best practices. Remember that the question does not specify what the problem is, so the only possible answer is D.

bet i can A. Investigating a potential threat identified in logs related to the identity management system before you can D. Working with procurement and creating a requirements document to select a new IAM system/vendor.

the way i read it is a potential threat has been identified in a log file related to the identity management system, so I will investigate the potential immediate threat first and then begin the much longer process of procurement. I am going to focus on the word, first

First off, alot is left unsaid in this question:If the external auditor is from a regulatory body or the government, does it really matter if the security team decide to do the investigation? If they've already found out that the system is not consistent with industry best practice, is there any need to conduct an investigation?My point is, if the outside auditors have found that the system is against best practice,then it does really matter what the security does except to comply to the recommendation for best practice.

It is not A. The auditor found a potentially critical vulnerability. If they went with A there might not be any indicators of a threat. That does not mean the IMS system is not vulnerable. The report will give them enough information of why they need to replace the system.