Prev Question
Next Question

A business application system accesses a corporate database using a single ID and password
embedded in a program. Which of the following would provide efficient access control over the
organization’s data?

A.
Introduce a secondary authentication method such as card swipe

B.
Apply role-based permissions within the application system

C.
Have users input the ID and password for each database transaction

D.
Set an expiration period for the database password embedded in the program

Explanation:
When a single ID and password are embedded in a program, the best compensating control would
be a sound access control over the application layer and procedures to ensure access to data is
granted based on a user’s role. The issue is user permissions, not authentication, therefore adding
a stronger authentication does not improve the situation. Having a user input the ID and password
for access would provide a better control because a database log would identify the initiator of the
activity. However, this may not be efficient because each transaction would require a separate
authentication process. It is a good practice to set an expiration date for a password. However, this
might not be practical for an ID automatically logged in from the program. Often, this type of
password is set not to expire.

Prev Question
Next Question
Tagged:

Leave a Reply

Your email address will not be published. Required fields are marked *