In order to enable users to perform tasks and duties without having to go through extra steps it is important that the security controls and mechanisms that are in place have a degree of?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The security controls and mechanisms that are in place must have a degree of transparency.
This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls.
Transparency also does not let the user know too much about the controls, which helps prevent him from figuring out how to circumvent them.
If the controls are too obvious, an attacker can figure out how to compromise them more easily.
Security (more specifically, the implementation of most security controls) has long been a sore point with users who are subject to security controls.
Historically, security controls have been very intrusive to users, forcing them to interrupt their work flow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done.
In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money.
When developing access control, the system must be as transparent as possible to the end user.
The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user.
For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room.
However, implementing a technology (such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area.
In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then specifically requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent.
A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the specific resources that user needs to access based on that role.
This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on predefined need, not user preference.
When developing and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work flow as little as possible.
The following answers were incorrect: All of the other detractors were incorrect.
Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th edition.
Operations Security, Page 1239-1240 Harris, Shon (2012-10-25)
CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 25278-25281)
McGraw-Hill.
Kindle Edition.
Schneiter, Andrew (2013-04-15)
Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 713-729)
Auerbach Publications.
Kindle Edition.
The correct answer is C. Transparency.
Transparency refers to the quality or state of being easily understandable or perceivable, clear, and open. In the context of security controls and mechanisms, transparency means that these controls are designed to be easily understood and accessible by users. This allows users to perform their tasks and duties without having to go through extra steps or being impeded by overly complex security measures.
On the other hand, if security controls and mechanisms are overly complex or non-transparent, users may struggle to understand how to use them or be deterred from using them altogether. This can create security vulnerabilities and undermine the effectiveness of the security measures in place.
Therefore, it is important for security controls and mechanisms to strike a balance between providing adequate protection and being transparent and user-friendly. This requires careful consideration of user needs and workflows, as well as ongoing monitoring and evaluation of the effectiveness of the security measures in place.