Certified Information Systems Auditor (CISA) — Question 1098

Which of the following is the MOST effective control when granting access to a service provider for a cloud-based application?

Answer options

• A. Administrator access is provided for a limited period with an expiration date.
• B. Access has been provided on a need-to-know basis.
• C. User IDs are deleted when work is completed.
• D. Access is provided to correspond with the service level agreement (SLA).

Correct answer: B

Explanation

The most effective control is granting access on a need-to-know basis (B), as it minimizes the risk of unauthorized access. While limited access with an expiration date (A) and deleting user IDs after work (C) are good practices, they do not offer the same level of security as ensuring that access is strictly based on necessity. Providing access according to the SLA (D) may not adequately limit exposure to sensitive information.