A systems administrator recently joined an organization and has been asked to perform a security assessment of controls on the organization's file servers, which contain client data from a number of sensitive systems.
The administrator needs to compare documented access requirements to the access implemented within the file system.
Which of the following is MOST likely to be reviewed during the assessment? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.AF.
The two items that are MOST likely to be reviewed during the security assessment are:
A. Access Control List (ACL): An ACL is a list of permissions associated with an object (in this case, a file server). It specifies which users or groups are granted access to objects, as well as what level of access they are granted. The administrator would compare the documented access requirements with the actual permissions granted to determine if the access controls are properly implemented.
F. Data Access Policies: Data access policies provide guidelines and rules for how data should be accessed, used, and protected within an organization. They often specify who can access data, when they can access it, and how they can access it. The administrator would review the data access policies to ensure that they align with the documented access requirements, and that they are being followed properly.
B. Security Requirements Traceability Matrix: A Security Requirements Traceability Matrix (SRTM) is a document that traces security requirements throughout the system development life cycle. It identifies which security controls are required to mitigate each security risk, and maps each control to the requirement that it fulfills. While an SRTM may be helpful for identifying the appropriate security controls for the file servers, it is less likely to be used for comparing documented access requirements to actual access implemented.
C. Data Owner Matrix: A Data Owner Matrix assigns ownership of specific data sets to individuals or groups within an organization. While this may be helpful for identifying who is responsible for the data on the file servers, it is less likely to be used for comparing documented access requirements to actual access implemented.
D. Roles Matrix: A Roles Matrix is a document that maps job functions to system permissions. While this may be helpful for identifying which roles have access to the file servers, it is less likely to be used for comparing documented access requirements to actual access implemented.
E. Data Design Document: A Data Design Document specifies the structure and layout of data in a system. While this may be helpful for understanding the organization of the data on the file servers, it is less likely to be used for comparing documented access requirements to actual access implemented.