Scribd
Upload
22 views

IA Quiz 4-Question & Solution

Uploaded by

235072
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views

IA Quiz 4-Question & Solution

Uploaded by

235072
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Air University, Aerospace and Aviation Campus, Kamra

Department of Computer Science


BS Cyber Security (Fall 2024)
Semester – III
Information Assurance (CY103)
Quiz # 04
Instructor: Mr. M. Ahsan Qureshi Date: 16-Dec-2024 Total Marks: 10
CLO: 3 Domain: C6 Graduate Attribute: 2
INSTRUCTIONS
1. Write your credentials properly on the paper
2. Unfair means leads to Zero Marks and cancellation of quiz
3. Avoiding any of the above rules will lead to marks deduction

Context:
FinTech Corporation, a medium-sized technology company specializing in financial software
applications, faces multiple challenges related to access control, data security, and employee
interactions within their network. The company has high employee turnover and operates in a
complex, department-diverse environment. Their current access control system, which relies on
password-based authentication, is ineffective in managing and monitoring access, raising
concerns about unauthorized access and data breaches. As the Chief Information Security Officer
(CISO), you need to hypothesize an access control model to address the following concerns:
• Securing the internal network.
• Ensuring confidentiality of sensitive data stored on servers.
• Enabling focused and specific employee interactions with the systems.
Additionally, you must explain why other types of access control models are less suitable for the
organization.
Ans: Recommended Access Control Model: Role-Based Access Control (RBAC)
Explanation:
1. Role-Based Access Control (RBAC) is the most suitable model for FinTech Corporation
because it offers a balance between security, manageability, and flexibility. By assigning
employees to predefined roles, access to systems and data is granted based on job
responsibilities, significantly reducing the risk of unauthorized access. Here's how it aligns
with the company’s concerns:

• Securing the Internal Network: RBAC allows the organization to define who can access
network resources based on roles, ensuring that only authorized personnel can access
sensitive systems. This prevents unauthorized users from gaining access to critical
infrastructure.
Page 1 of 2
• Confidentiality of Sensitive Data: Access to sensitive data is controlled and limited to
employees who need it for their job functions. With RBAC, you can set permissions that
ensure employees have access to only the data they need, improving confidentiality.

• Focused and Specific Interactions: Since employees are assigned roles, they only interact
with the systems and data relevant to their duties, promoting a more focused and
efficient workflow. This reduces unnecessary exposure to sensitive information and helps
prevent data leaks.
Why Other Models are Less Suitable:
1. Discretionary Access Control (DAC):

• Not appropriate: DAC would require users to control access to their own resources. This
decentralized model would be difficult to manage in a large organization with high
turnover. It can lead to inconsistent access permissions and increase the risk of
unauthorized access.

• Why it’s less effective: DAC is less secure and harder to monitor compared to RBAC,
especially when managing a large number of users in dynamic roles.
2. Mandatory Access Control (MAC):

• Not appropriate: Mandatory Access Control (MAC) can be applied in certain


environments, especially for organizations with strict security requirements. MAC is more
commonly used in government or military contexts where the security needs are
extremely strict and there is no room for flexibility. It’s overly rigid and doesn’t suit a
business environment that requires adaptability and user-specific access based on job
roles. However, MAC has its strengths, it may not be the most practical or effective choice
for FinTech Corporation given its specific challenges.

• Why it’s less effective: MAC (Mandatory Access Control) assigns access based on security
levels rather than roles, making it difficult to manage, especially for a medium-sized
company with many employees and different departments therefore, MAC would make
it challenging to manage for a medium-sized company with many employees and
departments. Assigning and maintaining clearance levels for all users, resources, and
interactions requires a dedicated team and continuous oversight, which can be
overwhelming for a medium-sized company.
3. Attribute-Based Access Control (ABAC):

• Not appropriate: ABAC uses attributes (such as time of day or location) to determine
access, which can be overly complex for the needs of FinTech Corporation. The system
requires continuous monitoring and an extensive amount of configuration, which may not
be necessary for a company with evolving but structured roles.

• Why it’s less effective: ABAC can introduce unnecessary complexity and may not align
with the company’s straightforward need to manage access based on roles.

Page 2 of 2

You might also like