Exam CISA topic 1 question 17 discussion

It is indeed more convenient to use SSO to ensure that when employees leave, the application-related permissions are also cancelled. But whether or not SSO is imported, regular account permission reviews are still the most complete solution. Careful review of account permissions can help ensure that invalid accounts are indeed closed or deleted. So, I think answer is B.

This is just a matter of careful reading. To keep this issue from recurring (Preventative), you would use SSO to ensure that disabling the network account would in turn disable access for the application. Performing periodic access reviews is a corrective control, addressing application accounts that were not disabled after the fact (at this point, you are past preventing it).

This centralizes user access management. Linking application accounts to SSO system automatically revokes access to all integrated applications with the termination of a network account

A is indeed the most convenient option, but not all systems/applications will support SSO. So B

Answer: B

If SSO is implemented, as soon as the network account is deleted, the application is no longer accessible.

B is much better than A as single sign on May not necessary prevent the issue from recurring

The answer is A. Remark the sentence "..To keep this issue from recurring.."

Incomplete integration: some applications might not be fully integrated with the SSO system, leaving room for discrepancies between network account termination and the deactivation of associated application accounts. Therefore periodic review is the best.

The question is looking for preventive control. B is detective control so is not the correct answer. Single sign-on is defined as the process for consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function.

In this question the issue is having an application w/ two different types of access. One account/password for the application (consider it local) and a domain account/System account & password. You can delete the system account and the application account will still exist. Combining them (requiring a system password w/ managed or limited permissions) better facilitates management. When the system account is deleted, account access is also removed.

A is the right answer.

A is the correct answer Perform periodic access reviews will catch this issue, but will not prevent it. SSO will.

Issue is account removed after employee is terminated their contract therefor review should be conducted on periodic basis (at least quarterly ). SSO might look like a solution but then next time they may forget to remove network accounts, there is no insurance that account will be removed and as auditor you cant directly recommend business related controls to environment. It's up to company to decide to use SSO or IAM solution for automatic termination of accounts. Maybe software doesnt support it, you cant be sure.

SSO makes systems vulnerable to unauthorized access

SSO makes systems more vulnerable for single point failure also. Hence keeping both network and applications access separte is always good. Hence, review of access is the best option.

Preventive Control