Effective Controls for Safeguarding Sensitive Information
Question
You are the administrator of your enterprise.
Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Physical or logical system access should be assigned on a need-to-know basis, where there is a legitimate business requirement based on least privilege and segregation of duties.
This is done by user authentication.
Incorrect Answers: A: Monitoring and recording unsuccessful logon attempts does not address the risk of appropriate access rights.
In other words, it does not prevent unauthorized access.
B: Forcing users to change their passwords does not ensure that access control is appropriately assigned.
C: Challenge response system is used to verify the user's identification but does not completely address the issue of access risk if access was not appropriately designed in the first place.
Among the options given, providing access on a need-to-know basis is the BEST control to protect an enterprise from unauthorized individuals gaining access to sensitive information. This is known as the principle of least privilege and it means that individuals are granted access only to the resources that they need to perform their job functions, and no more.
Monitoring and recording unsuccessful logon attempts is a useful control to identify potential attackers trying to gain access to the system, but it does not prevent them from doing so in the first place. It is more of a detective control rather than a preventive one.
Forcing periodic password changes can also be a useful control, but it is not foolproof. Passwords can still be guessed or stolen, and frequent changes can lead to weaker passwords being chosen or written down, defeating the purpose of the control.
Using a challenge response system, also known as two-factor authentication, adds an extra layer of security by requiring users to provide a second form of identification, such as a code sent to their phone or a biometric scan. However, this control is not always practical or feasible for all users, and it may not be effective against all types of attacks.
Providing access on a need-to-know basis is the most effective control because it limits the number of individuals who have access to sensitive information, reducing the risk of unauthorized access or disclosure. This control should be supported by other measures such as background checks, training, and monitoring to ensure that access is granted only to authorized individuals and that they use it appropriately.
