CompTIA SecurityX (CAS-005) — Question 26

An organization wants to implement an access control system based on its data classification policy that includes the following data types:

Confidential -

Restricted -

Internal -

Public Flag for Review -
The access control system should support SSO federation to map users into groups. Each group should only access systems that process and store data at the classification assigned to the group. Which of the following should the organization implement to enforce its requirements with a minimal impact to systems and resources?

Answer options

• A. A tagging strategy in which all resources are assigned a tag based on the data classification type, and a system that enforces attribute-based access control
• B. Role-based access control that maps data types to internal roles, which are defined in the human resources department's source of truth system
• C. Network microsegmentation based on data types, and a network access control system enforcing mandatory access control based on the user principal
• D. A rule-based access control strategy enforced by the SSO system with rules managed by the internal LDAP and applied on a per-system basis

Correct answer: A

Explanation

Option A is correct because implementing a tagging strategy with attribute-based access control allows for dynamic access management based on data classification with minimal changes to existing systems. The other options may involve more complexity and resource allocation, such as managing internal roles or network segmentation, which can increase the impact on systems and resources.