Controls provide accountability for individuals who are accessing sensitive information.
This accountability is accomplished:
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Controls provide accountability for individuals who are accessing sensitive information.
This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function.
These controls must be in accordance with and accurately represent the organization's security policy.
Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
The correct answer to the question is A. through access control mechanisms that require identification and authentication and through the audit function.
Access control mechanisms are used to ensure that only authorized individuals are allowed access to sensitive information. These mechanisms can include things like passwords, smart cards, biometric authentication, and other forms of identification and authentication. By requiring individuals to identify themselves and prove that they are authorized to access the information, access control mechanisms help to ensure accountability for who is accessing the information.
In addition to access control mechanisms, the audit function is also important for ensuring accountability. The audit function involves the monitoring and recording of system activity, including who accessed what information, when they accessed it, and what they did with it. By recording this information, the audit function provides a means for tracking who accessed sensitive information and how it was used. This helps to deter inappropriate behavior and provides a means for detecting and investigating any suspicious activity that may occur.
Option B, through logical or technical controls involving the restriction of access to systems and the protection of information, is partly correct. Logical or technical controls are indeed used to restrict access to systems and protect information, but this alone does not provide accountability for individuals who are accessing sensitive information.
Option C, through logical or technical controls but not involving the restriction of access to systems and the protection of information, is incorrect. Logical or technical controls are always designed to restrict access to systems and protect information. Without these controls, it would be difficult to ensure the confidentiality, integrity, and availability of sensitive information.
Option D, through access control mechanisms that do not require identification and authentication and do not operate through the audit function, is also incorrect. Access control mechanisms that do not require identification and authentication would not provide any means of accountability, as anyone could access the information without being identified or authorized. And without the audit function, there would be no means of tracking who accessed the information and what they did with it.