ExamRange – CCISO 712-50 Executive Simulation

Executive Briefing

You are the CISO of a mid-sized financial technology (FinTech) company that processes high-volume transactions 24/7. Due to a recent series of resignations, the IT Operations team is severely understaffed on the night shift.

To maintain service uptime without incurring the cost of emergency contractors, the Director of IT made a verbal agreement to have the primary Security Administrator fill in as the Senior Computer Operator for one night shift per week.

Business Context

Risk Appetite: The business is heavily regulated (SOX, GLBA) and has a zero-tolerance policy for undocumented insider threat vectors or compliance violations.

Strategic Objective: Maintain operational uptime without compromising the integrity of the control environment. Operational convenience cannot quietly supersede established security governance frameworks.

Decision Scenario

During a routine internal audit, an IT Auditor discovers this temporary staffing arrangement. The auditor recognizes that the person responsible for monitoring and configuring security controls is now simultaneously executing sensitive system operations.

As an executive reviewing the audit process, you must determine the strictly correct governance action the auditor should take immediately upon this discovery.

Question

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator.

The most appropriate course of action for the IT auditor is to:

A. Review the system log for each of the late night shifts to determine whether any irregular actions occurred. B. Inform senior management of the risk involved. C. Develop a computer-assisted audit technique to detect instances of abuses of the arrangement. D. Agree to work with the security officer on these shifts as a form of preventative control.

Executive Hint: Auditors report on risk; they do not own the risk or operationally mitigate it. Think about who has the actual authority to formally accept this operational arrangement or budget for the necessary resources to fix it.

Strategic Analysis

What is the real problem: A critical Segregation of Duties (SoD) violation has occurred. The individual responsible for overseeing system security and audit logs now has the operational access to alter the system and subsequently erase their tracks.
Business vs security perspective: Operations prioritized short-term uptime over long-term compliance and security. While the business need (staffing) is valid, bypassing foundational security controls without formal executive risk acceptance is a major governance failure.
Risk and impact analysis: This arrangement exposes the company to severe regulatory penalties (e.g., SOX compliance failure) and insider threat risks. If an incident occurs, the integrity of the entire logging and control environment is compromised.
Why correct answer is BEST (Option B): Informing senior management is the only appropriate governance action. Management owns the risk. They must be made aware of the SoD violation so they can either formally accept the risk (and implement compensating controls) or allocate budget to hire proper operations staff.
Why other options are weaker:
- Review system logs (A): A tactical, reactive measure. The Security Admin likely has the power to alter these logs, making the review useless. It doesn't fix the governance failure.
- Develop a CAAT (C): Over-engineering a technical solution to a management/staffing problem. It is inefficient and ignores the root governance issue.
- Work with the officer (D): Destroys the auditor's independence. Auditors evaluate controls; they do not operate as part of the daily control environment.

MINI LESSON: Segregation of Duties & Risk Ownership

Segregation of Duties (SoD) ensures no single individual has the authority to execute a sensitive transaction and conceal it. When operational realities force an SoD conflict, it cannot be handled quietly by middle management. It must trigger a formal risk escalation, where senior executives explicitly decide to either fund a solution or accept the risk on the corporate risk register.