The IS security group is planning to implement single sign-on.
What is the IS auditor's PRIMARY concern?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The IS security group's plan to implement single sign-on (SSO) raises several security concerns that an IS auditor should consider. SSO enables users to authenticate once and access multiple systems, applications, or resources without having to enter credentials repeatedly. This convenience can improve user productivity, reduce password-related issues, and simplify access control management. However, SSO also introduces several risks that an IS auditor should evaluate.
Among the given answer choices, the primary concern for the IS auditor would be option D - Compromise of a user ID/password will yield more privileges. This concern relates to the fact that SSO creates a single point of failure, meaning that if an attacker manages to obtain a user's authentication credentials, they can access all the systems, applications, or resources that the user is authorized to use. In contrast, if each system had a separate authentication mechanism, the compromise of one password would not necessarily give access to other systems. Therefore, the impact of a credential compromise is much higher in an SSO environment.
Options A and C are less critical concerns for the IS auditor. Integrated access rules can both increase and restrict users' access privileges, depending on how they are implemented. However, access privileges are a separate issue from authentication and authorization. Moreover, SSO can actually help enforce consistent access rules across multiple systems, reducing the risk of discrepancies or errors.
Option B is also a concern, as managing user IDs and passwords is still necessary in an SSO environment, albeit to a lesser extent. In fact, SSO may require additional efforts to integrate with existing authentication mechanisms, configure trust relationships, and ensure proper access controls. However, this concern is secondary to the primary risk of credential compromise.
Therefore, the IS auditor's primary concern regarding the IS security group's plan to implement single sign-on is the potential for compromised credentials to yield more privileges. The auditor should ensure that the SSO solution includes adequate security controls, such as strong authentication methods, session management, access monitoring, and incident response procedures. The auditor should also verify that the access rules and privileges granted through SSO are consistent with the organization's security policies and regulatory requirements.