CISA Certified Information Systems Auditor – Question1651 - CISA Certified Information Systems Auditor

What should an organization do before providing an external agency physical access to its information processing facilities (IPFs)?

A. The processes of the external agency should be subjected to an IS audit by an independent agency.
B. Employees of the external agency should be trained on the security procedures of the organization.
C. Any access by an external agency should be limited to the demilitarized zone (DMZ).
D. The organization should conduct a risk assessment and design and implement appropriate controls.

Correct Answer: D

Explanation:

Explanation:
Physical access of information processing facilities (IPFs) by an external agency introduces additional threats into an organization. Therefore, a risk assessment should be conducted and controls designed accordingly. The processes of the external agency are not of concern here. It is the agency’s interaction with the organization that needs to be protected. Auditing their processes would not be relevant in this scenario. Training the employees of the external agency may be one control procedure, but could be performed after access has been granted. Sometimes an external agency may require access to the processing facilities beyond the demilitarized zone (DMZ). For example, an agency which undertakes maintenance of servers may require access to the main server room. Restricting access within the DMZ will not serve the purpose.