| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
Identity & Access Management (Part 2 of 2)
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series continues from Part 1 and goes deeper into how access is controlled and protected at the logical level. The session covers at a topic level digital rights management, logical access controls and their exposures, logon ID and password security, common password attacks, remote access risks, biometric measurement, federated identity, and how IS auditors review logical access.
What this episode covers
- Digital rights management (DRM) β how DRM controls content usage through restriction types and enforcement technologies, and the risk-based approach to applying it.
- Logical access controls β the three-step process of identification, authentication, and authorization, and the exposures including data leakage and malicious shutdown.
- Access control software β how it works across the network, operating system, database, and application layers, with the strongest protection at network and OS level.
- Logon ID and password security β unique IDs, handling of default accounts, session timeouts, password hashing, lockout policies, and emergency firecall credentials.
- Password attack methods β sniffing, phishing, brute force, dictionary, keylogging, rainbow, credential stuffing, and password spraying, plus the defenses for each.
- Remote access risks and biometric measurement β the dangers opened by remote connections and the key biometric error rates including false rejection, false acceptance, and crossover error rate.
- Federated identity management and the auditorβs path β how federation differs from single sign-on and the step-by-step audit approach to logical access controls.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is digital rights management and how is it enforced?
Digital rights management, or DRM, is the hardware and software that controls how digital content is used, protecting copyrights and limiting copying, editing, sharing, and printing. It is enforced through technologies such as password protection, digital watermarking, device control, restrictive licensing, hashing to prove content integrity, secure protocols, and timebound decryption keys. Best practice is to inventory content and apply DRM based on risk level.
What are the common password attack methods an IS auditor should recognize?
Common attacks include sniffing which intercepts passwords sent in clear text, phishing which tricks users into handing passwords over, brute-force and dictionary attacks which guess using personal details or common words, keyloggers which record keystrokes, rainbow attacks which match precomputed hashes and are defeated by salting, credential stuffing which reuses passwords stolen from other breaches, and password spraying which hits many accounts at once to avoid lockout detection.
How is biometric system accuracy measured?
Biometric accuracy is measured using three key rates: the false rejection rate, which wrongly denies a valid user and is a frustration rather than a security risk; the false acceptance rate, which wrongly admits an impostor and is genuinely dangerous; and the crossover error rate, which is where those two rates meet. The lower the crossover error rate, the more accurate the system. The failure-to-enroll rate also matters and counts people the system cannot register at all.
What is federated identity management and how does it differ from single sign-on?
Federated identity management lets multiple organizations share identity data so one login works across all of them, resting on mutual trust usually set by contract. A user requests access from a service provider, which checks with an identity provider, which authenticates the user and issues a token. Single sign-on works within one organization and is centralized, while federation extends that concept across multiple organizations in a decentralized and consumer-facing way.
π Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Identity & Access Management (Part 2 of 2).