PrepAway - Latest Free Exam Questions & Answers

In order to enable users to perform tasks and duties wi…

In order to enable users to perform tasks and duties without having to go through extra steps, it is important
that the security controls and mechanisms that are in place have a degree of?

PrepAway - Latest Free Exam Questions & Answers

A.
Complexity

B.
Non-transparency

C.
Transparency

D.
Simplicity

Explanation:
The security controls and mechanisms that are in place must have a degree of transparency.
This enables the user to perform tasks and duties without having to go through extra steps because of the
presence of the security controls. Transparency also does not let the user know too much about the controls,
which helps prevent him from figuring out how to circumvent them. If the controls are too obvious, an attacker
can figure out how to compromise them more easily.
Security (more specifically, the implementation of most security controls) has long been a sore point with users
who are subject to security controls. Historically, security controls have been very intrusive to users, forcing
them to interrupt their work flow and remember arcane codes or processes (like long passwords or access
codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has
been done to remove that stigma of security controls as a detractor from the work process adding nothing but
time and money. When developing access control, the system must be as transparent as possible to the end
user. The users should be required to interact with the system as little as possible, and the process around
using the control should be engineered so as to involve little effort on the part of the user.
For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person
is authorized to enter a room. However, implementing a technology (such as RFID) that will automatically scan
the badge as the user approaches the door is more transparent to the user and will do less to impede the
movement of personnel in a busy area.
In another example, asking a user to understand what applications and data sets will be required when
requesting a system ID and then specifically requesting access to those resources may allow for a great deal of
granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process
would be for the access provisioning system to have a role-based structure, where the user would simply
specify the role he or she has in the organization and the system would know the specific resources that user
needs to access based on that role. This requires less work and interaction on the part of the user and will lead
to more accurate and secure access control decisions because access will be based on predefined need, not
user preference.
When developing and implementing an access control system special care should be taken to ensure that the
control is as transparent to the end user as possible and interrupts his work flow as little as possible.
Incorrect Answers:
A: The complexity of security controls is not what enables users to perform tasks and duties without having to
go through extra steps. The controls can be complex or simple; as long as they have a degree of transparency,
users will be able to perform tasks and duties without having to go through extra steps.
B: Non-transparent security controls do not enable users to perform tasks and duties without having to go
through extra steps; this would be the opposite in that it would require the extra steps.
D: The simplicity of security controls is not what enables users to perform tasks and duties without having to go
through extra steps. The controls can be complex or simple; as long as they have a degree of transparency,
users will be able to perform tasks and duties without having to go through extra steps.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 1239-1240


Leave a Reply