The absence of audit logging is the greatest concern because it represents a fundamental failure of accountability and traceability. In a shared system like a CRM, which contains sensitive customer data, it is critical to know who accessed or modified information and when. Without audit logs, it is impossible to detect unauthorized activities, investigate security incidents, or hold individuals accountable for their actions. This lack of a detective and deterrent control undermines the entire access control structure, rendering other controls less effective.

A. The absence of single sign-on is an inconvenience and a potential efficiency loss, but not a critical failure if other authentication controls are strong.

C. An inconsistent security baseline is a significant risk, but its impact may be localized, whereas the lack of logging affects accountability across the entire system.

D. Not requiring complex passwords is a serious vulnerability that increases the risk of unauthorized access, but the lack of logging makes it impossible to even detect or investigate such an access.

1. ISACA

CISA Review Manual

27th Edition. Chapter 4

Section 4.5.3

"Monitoring and Log Management." The manual states

"Logs are records of events that have occurred on a system. They are important for establishing accountability

reconstructing events

detecting intrusions and problem-solving." It further explains that without logs

"it may be impossible to determine...the extent of an intrusion." This highlights that a lack of logging is a critical failure in security monitoring and accountability.

2. ISACA

CobiT 5: Enabling Processes. APO12

Manage Risk

and DSS05

Manage Security Services. Specifically

DSS05.07

"Monitor the infrastructure for security-related events

" emphasizes the need to collect and analyze security logs to identify malicious activity and incidents. The absence of logging makes this entire control practice impossible to implement.

3. Purdue University

"Information System Auditing" Courseware. In modules discussing logical access controls

the principle of accountability is stressed as a cornerstone. Audit trails (logs) are presented as the primary mechanism for enforcing accountability by creating a record of user actions that can be traced back to a specific individual. (Reference to general principles taught in such courses

e.g.

Purdue Global IT 540).