The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives: -> Reduce the number of potential findings by the auditors.
-> Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.
-> Prevent the external-facing web infrastructure used by other teams from coming into scope.
-> Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.
Which of the following would be the MOST effective way for the security team to meet these objectives?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Of the options given, the most effective way for the security team to meet these objectives would be to segment the servers and systems used by the payment-processing team from the rest of the network.
Explanation:
A. Limit the permissions to prevent other employees from accessing data owned by the business unit. This option can help reduce the number of potential findings by auditors as it limits access to data owned by the business unit, but it doesn't address the other objectives.
B. Segment the servers and systems used by the business unit from the rest of the network. This option would limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations. Segmentation also prevents the external-facing web infrastructure used by other teams from coming into scope. This would also limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.
C. Deploy patches to all servers and workstations across the entire organization. While patching is important for security, it doesn't directly address the objectives listed. Additionally, it would be a broad-sweeping action across the entire organization, which could be time-consuming and expensive.
D. Implement full-disk encryption on the laptops used by employees of the payment-processing team. This option is useful for protecting data on laptops, but it doesn't directly address the objectives listed. It also doesn't address the need to limit the scope of the audit or prevent external-facing infrastructure from coming into scope.
Overall, segmenting the servers and systems used by the payment-processing team from the rest of the network is the best option to meet all of the listed objectives. It allows for precise control over what devices and activities fall under regulatory compliance, while also limiting the scope of the audit and potential exposure.