??? | recommend to eliminate password sharing? | Case Study | 5.16.4 |
coffeeisgood
Member Posts: 136 ■■■□□□□□□□
in CISM
5.16.4 Case Study D
A major financial institution has just implemented a centralized banking solution (CBS) in one of its branches. It has a secondary concern to look after marketing of the bank. Employees of a separate legal entity work on the bank premises, but they have no access to the bank's solution software. Employees of other branches get training on this solution from this branch and for training purposes temporary access credentials are also given to such employees. IS auditors observed that employees of the separate legal entity also access the CBS software through the branch employees access credentials, IS auditors also observed that there are numerous active IDs of employees who got training from the branch and have since been transferred to their original branch.
D1. Which of the following should IS auditors recommend to effectively eliminate such password sharing?
A. Assimilation of security need to keep password secret
B. Stringent rules prohibiting sharing of password
C. Use of smart card along with strong password
D. Use of smart card along with employee's terminal ID
CISA Review Manual 26th Edition
page 413
A major financial institution has just implemented a centralized banking solution (CBS) in one of its branches. It has a secondary concern to look after marketing of the bank. Employees of a separate legal entity work on the bank premises, but they have no access to the bank's solution software. Employees of other branches get training on this solution from this branch and for training purposes temporary access credentials are also given to such employees. IS auditors observed that employees of the separate legal entity also access the CBS software through the branch employees access credentials, IS auditors also observed that there are numerous active IDs of employees who got training from the branch and have since been transferred to their original branch.
D1. Which of the following should IS auditors recommend to effectively eliminate such password sharing?
A. Assimilation of security need to keep password secret
B. Stringent rules prohibiting sharing of password
C. Use of smart card along with strong password
D. Use of smart card along with employee's terminal ID
CISA Review Manual 26th Edition
page 413
Failed to load the poll.
Comments
Of course two factor will always be more secure and in an ideal world three factor, something: you know; you have; you are. Would be best but progress takes time and many times as in science as well as business moves forward one funeral at a time.
- b/eads
4FA = Four Factor Authentication
Something you know (password, PIN, etc.)
Something you have (mobile phone, credit card, smart card, etc.)
Something you are (fingerprint, hand hand geometry, etc.)
and
Something you can do, (accurately reproducing a signature measure speed/pressure)
I have also heard of the rise of other factors (or fifth, six factor authentication)
Sometime it is
5th - Time (verification of employee IDs against work schedules)
Somewhere you are
6th - Location (GPS location, i.e. ATM use in United States, then 10 minutes later say somewhere in Europe)
this is going a bit overkill for CISA but interesting
anyway, this question (& it's book answer has me a bit perplexed)
I am trying to understand the ISACA thought process.... trying...
you cannot see the poll results until you vote
I eventually will post the book answer, until then login & vote
I can't find this question in Chapter 5 case studies, so the question now is: it was thought that ISACA basically only changes the cover is this really the case?
LOL! Then it's D, there's no way it is A or B!
A is a BS answer and B can't be right because immediately upon getting credentials or before getting them new employees get to sign acceptable use policy and get instructed that the passwords aren't for share.
In case of D IS auditors seem to be okay with employees and contractors giving each other cards instead of passwords!
PS Also be aware that the thread could be wasted because mods don't want ISACA going after TE with copyright infringement claims
You can have policies, 10 factor authentication, training and even threat of termination, but until staff actually believe that password sharing is wrong they would still find ways to share passwords.
An example from neighboring Kuwait, a security guard was caught with a set of plastic fingers that he used to sign people in (attendance register using finger print - something you are).
page 415
the key word seems to be "assimilation" in the book answers
I will not post the full explanation here as if you should have this study manual.
Since most people are not picking this answer, you can start to see why I posted this.
I am trying to understand ISACA thinking....
Maybe we should warp to Stark Trek
we are the borg
you will be assimilated
resistance is futile
I agree. And I audited a few commercial banks. And yet to find a bank that would satisfy this description as even in really small ones there's always a password policy of some form which is often not even a result of actions performed after an IS audit but something that was introduced by infrastructure teams in prehistoric times.
I'd say that these days you can't really rely on having a situation in a bank where there are passwords in use but the users aren't instructed not to share their passwords via acceptable use policy (first day policy, enrollment process, you name it).
I would suggest for ISACA to prove that the situation they are implying (bank, people aren't instructed not to share passwords) is actually something that happens in real world.
Hell, even for free online services it is almost a rule that you have to agree with some kind of terms of service document that would have a phrase or two on passwords.
Another reason why this answer is BS is its wording. This is like a common sense statement (humans need air to breathe type of thing) and it's not clear to whom it is directed to and what exactly it asks to do. One would expect something like "employees must have been informed that the password sharing is prohibited and sign a password policy document". I could have voted for such a control IF the scenario HAD a statement that the users aren't informed about it. This control would be cheaper than smart-cards + PIN or password although not as robust.
Keyword is "eliminate"
Its like telling your kids the danger of watching ****. Some kids will listen, some kids wont. So assimilation of security (A) , and stringent rules (B) is only one half of the solution as they wont eliminate password sharing.
C. -> Smart cards and passwords can be shared.
D - >While smartcards can be shared, the terminal ID (as I understand) is a measure that ensures that access is made from valid terminal sources. (stops branch office employees and the separate legal entity employees from working in their area)