Certified Information Systems Auditor (CISA) — Question 1225

During an audit of a mortgage processing application, an IS auditor identifies that the application allows all users to export large quantities of sensitive customer data. Which of the following is the BEST control for the auditor to recommend to mitigate this risk?

Answer options

• A. Restrict download capability to authorized users.
• B. Require strong passwords for application login.
• C. Periodically recertify user access.
• D. Mask sensitive data within the application.

Correct answer: A

Explanation

The correct answer, A, is the most effective way to limit access to sensitive customer data by ensuring that only authorized users can download it. Option B, while important for security, does not address the specific risk of unauthorized data export. Option C helps maintain access control but does not prevent current unauthorized access. Option D offers a way to protect data visibility but does not address the ability to export data altogether.