Certified Chief Information Security Officer (CCISO) — Question 171

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.
What type of control is being implemented by supervisors and data owners?

Answer options

• A. Management
• B. Technical
• C. Operational
• D. Administrative

Correct answer: C

Explanation

The correct answer is C, Operational, as it refers to the day-to-day procedures and practices that ensure policies are followed, including access control to systems. Management controls (A) are more about policies and governance, Technical controls (B) involve the use of technology to enforce security, and Administrative controls (D) pertain to procedures and policies rather than active oversight of individual access.