The IS auditor should:

An IS auditor finds that a DBA has read and write access to production datA. The IS auditor should:

An IS auditor finds that a DBA has read and write access to production datA. The IS auditor should:

A.
accept the DBA access as a common practice.

B.
assess the controls relevant to the DBA function.

C.
recommend the immediate revocation of the DBA access to production data.

D.
review user access authorizations approved by the DBA.

Explanation:
It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls. The DBAshould have access based on a need-to- know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production datA . Granting user authorizations is the responsibility of the dataowner and not the DBA.



Leave a Reply 0

Your email address will not be published. Required fields are marked *