Exam CISA topic 1 question 1795 discussion

A. Administrator access is provided for a limited period with an expiration date. Let’s briefly break down the others: B. Access on a need-to-know basis 🔸 This is a strong principle but is more general. It doesn’t ensure time restrictions or administrative oversight, which are critical with cloud-based external access. C. User IDs are deleted when work is completed 🔸 A good clean-up control, but it’s reactive, not proactive. It still leaves a window of potential exposure until deletion occurs. D. Access aligns with SLA 🔸 Vague. SLAs usually define service performance, not granular access control. So it’s not sufficient as a security measure.

Given the question’s focus on "granting access," the most effective control is one that ensures access is appropriately scoped from the start. The manual’s emphasis on least privilege in Section 5.3 ("The principle of least privilege requires that users be granted only the minimum level of access necessary to perform their job functions," p. 373) and its application to third parties in Section 2.9 ("third-party access is restricted to only the systems and data necessary," p. 143) strongly supports Option B. This control minimizes risk proactively, aligning with cloud security responsibilities and vendor management best practices.

I am pretty sure A is the correct answer as it has an expiration time. Option C says they are deleted when work is completed which is a good idea and should be done but when work is completed is very arbitrary. B doesn’t make a lot of sense. Access is provided on a need to know basis. I mean, duh. Right, they shouldn’t just access all the time whenever. Which is why I lean toward A. Because it has an expiration date so it doesn’t necessarily matter if the work got completed. They can get granted access again without it extending too long. Hopefully that makes sense to anyone else who is struggling with the options given.