Most CISA candidates struggle with questions related to information assets protection. I have prepared a question below that will help you understand this concept.
Ransom’s Question on 06/03/2017 – Information Asset Protection
A media company stores and transmits sensitive customer data within a secure wired network. It recently implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs such as wifi connectivity in the meeting rooms where there is no wired connection. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks?
A – Create two physically separate networks.
B – Implement virtual local area network (VLAN) segmentation.
C – Install a dedicated router between the two networks.
D – Install a firewall between the networks.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question.
K = Key – The key phrase here is “BEST control”. This question is about determining what is the best way of ensuring that authorised users are given access to customer data.
I want us to think really seriously about this question. This question is about ensuring that the system is able to recognise authentic employees and only grant access to the sensitive customer information that are relevant to that employee’s job description and access level. This system is usually described as a user authentication system.
How would an organisation, that has a secured wired network and has recently installed a wireless local area network, ensure that those only authorised users are given access to sensitive customer data over their wireless area network (WLAN)? There are certain key things that we need to make sure that we understand before responding to this question. The question did not suggest that the WLAN network was insecure, however, there might be increased vulnerabilities involved in using a VLAN.
E = Eliminate two options – If we scan through the options above, we can easily eliminate answers A and B. Option A talks about creating two separate networks. Well, this will not ensure that the WLAN network authenticates users correctly. If we have two separate networks and one of them is weak, it might increase the vulnerability of the company. In creating a separate network, an authentic user may not have access to the customer data.
Option B is about segmenting the VLAN. This is a good option but a hacker with good knowledge on the segmented network would hack the sensitive information using the WLAN. Segmentation does not guarantee that only valid users have access to sensitive data.
C = Choose the correct answer that lines up with the KEY – We are thus left with options C and D to choose from. Option C talks about installing a separate router. Please note that a router acts like a traffic officer, it directs data traffic but does not authenticate user access. This option is not the best option or the best control.
Option D says we should install a firewall between the networks. As you can see from the sketch on the right, this option is the best option because the firewall will ensure that only authentic users have access to sensitive customer information. Users who wish to access the customer database will need to be authenticated. This is synonymous to a policeman checking user’s ID before allowing them to enter into a restricted facility. The firewall checks users profile against the system records and will only grant these users access if they are valid users and have been pre-approved to access the sensitive data.
The correct answer is thus D – Install a firewall between the networks. It meet the “key” to this question which required us for the “BEST Control”. D is thus the correct option.
Posted by @RansomNformi