ExpertMedium1 markMultiple Choice
CPA · Question 23 · Area II: Security
An auditor is reviewing the 'Least Privilege' implementation for a database. They find that the 'Reporting_User' role has 'DROP TABLE' permissions. Why is this a control deficiency?
An auditor is reviewing the 'Least Privilege' implementation for a database. They find that the 'Reporting_User' role has 'DROP TABLE' permissions. Why is this a control deficiency?
Answer options:
A.
Reporting users only need read access (SELECT), not delete capabilities.
B.
DROP TABLE is a command that should only be available to the CEO.
C.
Reporting users should have full administrative rights to generate accurate reports.
D.
DROP TABLE permissions cause performance issues.
How to approach this question
Define the job function (Reporting) and the permission (DROP = Delete). Do they match? No.
Full Answer
A.Reporting users only need read access (SELECT), not delete capabilities.✓ Correct
A
The principle of least privilege dictates that users should only have the access necessary to perform their job functions. A reporting user needs SELECT permissions. DROP TABLE allows deletion of data structures, which is a massive risk and unnecessary for reporting.
Common mistakes
Assuming reporting requires high-level access.
Practice the full CPA ISC Practice Exam
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...HardQ02During a walkthrough of a client's change management process, the auditor notes that developers h...HardQ03A service organization provides a real-time transaction processing platform. The service level ag...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard