Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
In the course of a system access control review, an IT auditor discovers that there are user security groups that do not have designated owners. What is the main reason this is an issue to the IT auditor? Because without ownership there is no accountability for:
Updating group metadata.
Removing terminated users.
Approval of user access.
Reviewing existing user access.
Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group. Updating data about the group is not a great concern when compared to unauthorized access. While the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing their access to the group in the first place. Revoking access to terminated users is a compensating control for the normal termination process and is also a detective control.
Edit: If the group doesn't have an owner, but does have users that can grant access, then reviewing existing user access is just as important as approval of user access -- existing users may have incorrectly been granted access just as a new user might.
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.