Episode 70: Data Loss Prevention
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Access control is one of the most critical foundations of cybersecurity. It determines who can access what resources, when that access is allowed, and under which conditions it should be granted or denied. Effective access control directly supports the confidentiality, integrity, and availability of systems and data. When it is implemented correctly, access control prevents unauthorized users from viewing, altering, or deleting information and limits exposure from both internal and external threats. From a compliance standpoint, most information security regulations and standards require the enforcement of access restrictions to ensure that sensitive data is protected and used appropriately. The CISA exam frequently includes questions about access control mechanisms, scenarios where controls fail, and how auditors should review access decisions. Understanding how access is granted, monitored, and reviewed is essential for evaluating the overall security posture of an organization.
There are three primary categories of access control that work together to manage risk. Administrative controls are policy-driven. They include training programs, onboarding and offboarding procedures, background checks, and security policies that define how access should be requested, approved, and used. Technical controls refer to system-based enforcement mechanisms. These include authentication systems, encryption, firewalls, user permissions, and monitoring tools. Physical controls protect the actual infrastructure. They include locked doors, badge readers, cameras, and security guards. While these categories may operate independently, strong security comes from ensuring that they support each other. For example, a biometric door lock is a physical control that must align with technical identity management. Auditors are expected to evaluate whether all three categories are deployed appropriately for the environment and whether the organization is enforcing them consistently across people, systems, and facilities.
There are several models used to define how access permissions are granted, each with strengths and tradeoffs. Discretionary access control allows the owner of a resource to decide who has access. This model is flexible but can lead to inconsistent enforcement. Mandatory access control uses classifications such as confidential or top secret to enforce access rules based on security levels. It is highly structured and often used in government or military environments. Role-based access control assigns permissions based on a person’s job role, simplifying the management of large user populations by mapping access to responsibilities. Attribute-based access control takes this further by evaluating a combination of attributes such as user location, device type, or time of day to make decisions. The CISA exam may present scenarios that require you to choose the most appropriate model for a given environment. Understanding how each model functions and where it is best applied will help you answer those questions with confidence.
Authentication techniques are how users prove their identity before gaining access. These techniques are categorized by the type of factor they use. Something you know includes passwords and personal identification numbers. Something you have may include key cards, smart tokens, or one-time password generators. Something you are includes biometric characteristics like fingerprints, voice patterns, or facial features. A newer category, something you do, analyzes behavior patterns such as typing rhythm or navigation style. Multi-factor authentication uses a combination of two or more of these types to enhance security. For example, requiring both a password and a code sent to a mobile device creates a second line of defense. This makes it much harder for attackers to gain access even if one credential is compromised. On the CISA exam, candidates should be able to identify the weaknesses of single-factor authentication and understand how multifactor strategies mitigate common risks.
Logical access controls apply to systems, software applications, and data environments. These controls include user IDs, passwords, and authentication protocols, but also extend to session timeout settings, access restrictions based on time or IP address, and encryption of data in transit. Organizations use these controls to ensure that users can only access systems and data that are relevant to their role. Logical controls also apply to endpoints such as laptops and mobile devices, remote access through virtual private networks, and access to cloud services. They may include application-level restrictions that prevent users from seeing specific data fields or submitting certain types of transactions. Auditors examine whether logical controls are in place and whether they correspond to the user’s assigned role or job function. Misalignment between system permissions and user responsibilities can expose the organization to unnecessary risk.
Physical access control is equally important in safeguarding systems and data. These controls ensure that only authorized personnel can enter secure areas such as server rooms, data centers, or telecommunications closets. Access may be granted through badge readers, keypads, biometric scanners, or physical keys. Visitor logs and surveillance footage are used to track who enters and exits these spaces. Integrating physical access systems with logical identity management platforms allows for unified monitoring and improved accountability. For example, if someone accesses a secure room but does not log into any system, it may raise a red flag. Physical breaches often result from weak or unenforced controls, such as propped-open doors or shared access badges. CISA scenarios may include incidents involving physical security weaknesses, requiring candidates to assess how these controls should be evaluated and enforced.
Evaluating access requests and approval workflows is a key part of auditing access controls. Organizations must have a formal process for requesting access, including documented justification and approval by a manager or system owner. This workflow ensures that access is not granted informally or without oversight. Access to sensitive systems should require additional scrutiny, especially when segregation of duties is involved. Segregation of duties prevents conflicts by ensuring that no one individual can perform incompatible tasks, such as approving and executing a payment. Emergency access procedures must also be defined. These allow users to gain temporary access in urgent situations, but they must be time-limited, logged, and reviewed afterward. Auditors assess whether access requests are reviewed, approved, and documented properly. Any exceptions or overrides must also be recorded and justified. On the exam, candidates may be asked to identify gaps in approval processes or to assess whether the principle of least privilege is being maintained.
Monitoring access activity is essential for detecting misuse, anomalies, or unauthorized attempts. Logs should capture who accessed what resource, when access occurred, and from what location or device. This includes successful logins, failed attempts, and any actions taken within the system. Monitoring systems should be configured to generate alerts when patterns deviate from normal behavior. For example, access attempts outside of normal hours, repeated login failures, or access from unusual locations should trigger review. Logs must be stored securely with access controls to prevent tampering. Integration with a security information and event management platform allows alerts and logs to be correlated with other events and escalated when needed. CISA candidates should understand the role of access logs in both auditing and incident response, and be able to assess whether the organization is monitoring access activity effectively and responding to alerts in a timely manner.
Periodic access reviews are necessary to ensure that access privileges remain appropriate over time. These reviews typically include an evaluation of dormant accounts, excessive privileges, and users who may have changed roles without having their access updated. Review campaigns may be automated, with system-generated reports distributed to managers or system owners for approval. Each access right must be validated and, if no longer needed, revoked. Reviews should also include shared or generic accounts, which may reduce accountability and increase audit risk. Organizations must have procedures for reviewing and revoking access in cases of resignation, termination, or role change. Auditors confirm that access reviews are conducted on schedule, that findings are addressed, and that review results are documented. CISA questions may involve evaluating the completeness and timeliness of access recertification activities or identifying the consequences of failing to conduct these reviews.
For CISA candidates, the essential takeaway is that access control is not a single tool or policy, but a coordinated system of protections across logical, physical, and administrative domains. You must understand how access is requested, approved, enforced, and reviewed. Be prepared to evaluate user authentication, access provisioning, monitoring, and revocation procedures. On the exam, expect to encounter questions on access control models, authentication types, audit log analysis, and how to recognize segregation of duties conflicts. You will also be asked to evaluate whether access controls align with business roles and whether they are being enforced across all systems. Strong access control does more than restrict entry—it establishes accountability, limits risk, and enables trust across the organization. Auditors play a central role in ensuring that access is granted properly, used responsibly, and reviewed regularly to maintain an effective security posture.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
