The Importance of Control Mechanisms in Information System Security

C.

Controls provide accountability for individuals accessing information.

Assurance procedures ensure that access control mechanisms correctly implement the security policy for the entire life cycle of an information system.

Source: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

The correct answer is C, Assurance procedures.

Assurance procedures are designed to ensure that the implemented control mechanisms are operating correctly and are compliant with the security policy throughout the entire life cycle of an information system. These procedures involve the use of various methods, tools, and techniques to verify the effectiveness of control mechanisms, identify any gaps or weaknesses in the security posture, and provide recommendations for improvement.

Assurance procedures include activities such as security testing, vulnerability assessments, penetration testing, security audits, and risk assessments. These procedures help to ensure that security controls are properly implemented, and that any issues are identified and addressed in a timely manner.

Accountability controls are designed to establish accountability for actions taken within a system. They are typically used to trace the actions of individual users to specific activities within the system. Examples of accountability controls include audit logs, user identification and authentication, and access control policies.

Mandatory access controls are used to enforce security policies by restricting access to resources based on predefined rules. These rules are typically based on the sensitivity of the information being protected and the clearance level of users who are accessing the information.

Administrative controls are policies and procedures that are put in place to manage and regulate an organization's security posture. These controls include policies and procedures for security awareness training, incident response planning, and risk management.

While all of these controls are important for implementing a comprehensive security posture, only assurance procedures can ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.