A mid-sized financial-services firm stores customer account data in a proprietary database application that is accessed over the corporate network. Management wants to guarantee that only senior accountants and database administrators can view or change the records, while all other authenticated employees are blocked. Which control BEST meets this requirement?
Enforce a 30-day enterprise-wide password rotation policy.
Install centrally managed antivirus software on all employee workstations.
Move the database server to an isolated DMZ subnet.
Create an access control list (ACL) that grants only the designated roles read and write permissions on the database objects.
Defining an access control list (ACL) or equivalent object-level permissions on the database lets administrators explicitly state which individual users or security groups can read or modify each table. Because each entry ties a subject (user or role) to an allowed action (such as SELECT or UPDATE), the company can enforce least privilege and later audit who accessed the data. Password-rotation policies, antivirus software, and network segmentation all improve security but do not provide the fine-grained authorization needed for this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Access Control List (ACL)?
Open an interactive chat with Bash
What is meant by 'least privilege' in access control?
Open an interactive chat with Bash
Why is a password rotation policy insufficient in this scenario?