An IS auditor is reviewing the physical security measures of an organization. Regarding the access
card system, the IS auditor should be MOST concerned that:
nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no
proof of identity.
access cards are not labeled with the organization’s name and address to facilitate easy return of a
card issuance and rights administration for the cards are done by different departments, causing
unnecessary lead time for new cards.
the computer system used for programming the cards can only be replaced after three weeks in the
event of a system failure.
Physical security is meant to control who is entering a secured area, so identification of all
individuals is of utmost importance. It is not adequateto trust unknown external people by allowing
them to write down their alleged name without proof, e.g., identity card, driver’s license. Choice B
is not a concern because if the name and address of the organization was written on the card, a
malicious finder could use the card to enter the organization’s premises. Separating card issuance
from technical rights management is a method to ensure a proper segregation of duties so that no
single person can produce a functioning card for a restrictedarea within the organization’s premises.
Choices B and C are good practices, not concerns. Choice D may be a concern, but not as
important since a system failure of the card programming device would normally not mean that the
readers do not functionanymore. It simply means that no new cards can be issued, so this option
is minor compared to the threat of improper identification.