Prev Question
Next Question

A business application system accesses a corporate database using a single ID and password
embedded in a program. Which of the following would provide efficient access control over the
organization’s data?

Introduce a secondary authentication method such as card swipe

Apply role-based permissions within the application system

Have users input the ID and password for each database transaction

Set an expiration period for the database password embedded in the program

When a single ID and password are embedded in a program, the best compensating control would
be a sound access control over the application layer and procedures to ensure access to data is
granted based on a user’s role. The issue is user permissions, not authentication, therefore adding
a stronger authentication does not improve the situation. Having a user input the ID and password
for access would provide a better control because a database log would identify the initiator of the
activity. However, this may not be efficient because each transaction would require a separate
authentication process. It is a good practice to set an expiration date for a password. However, this
might not be practical for an ID automatically logged in from the program. Often, this type of
password is set not to expire.

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *