An auditor is testing a client's firewall configuration. They notice a rule that allows 'Any' source IP to access the database port (1433) directly from the internet. Which security principle is violated?

Answer options:

Separation of Duties

Least Privilege

Non-repudiation

Availability

How to approach this question

Opening a port to 'Any' gives privilege to everyone. You should only give it to the specific server needing it.

Full Answer

B.Least Privilege✓ Correct

Least Privilege

The Principle of Least Privilege states that systems/users should only have the access necessary to perform their function. Allowing 'Any' source violates this by granting global access.

Common mistakes

Thinking this is a 'Defense in Depth' issue (it is, but Least Privilege is the specific principle violated by the rule).

Question 35 All questions Question 37

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →