Question 1058 - CISA discussion

The primary reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center is to improve traceability (A). Traceability is the ability to track and monitor the activities and movements of individuals or objects within a system or environment. Traceability is important for ensuring security, accountability, and compliance in a data center, where sensitive and critical data are stored and processed.

An RFID access card system can improve traceability by using RFID technology to verify and record the identity and access of each user who enters or exits the data center. RFID stands for Radio Frequency Identification, and it enables wireless communication between a reader and an RFID tag. An RFID tag is installed in a door key card or fob, which users use to gain access to the data center. An RFID reader is installed near the door, and it contains an antenna that receives data transmitted by the RFID tag. A control panel is a computer server that reads and interprets the data passed along by the RFID reader.A database is a storage system that stores the data collected by the control panel1.

An RFID access card system can provide several benefits for traceability, such as123:

It can uniquely identify each user and their access level, and prevent unauthorized access or impersonation.

It can record the date, time, and duration of each user's access, and generate logs and reports for auditing purposes.

It can monitor the location and status of each user within the data center, and alert security personnel in case of any anomalies or emergencies.

It can integrate with other security systems, such as cameras, alarms, or biometrics, to enhance verification and protection.

A universal PIN code system, on the other hand, can compromise traceability by using a single or shared personal identification number (PIN) to grant access to multiple users.A universal PIN code system can pose several risks for traceability, such as4:

It can be easily guessed, stolen, shared, or compromised by malicious actors or insiders.

It can not distinguish between different users or their access levels, and allow unauthorized or excessive access.

It can not record or track the activities or movements of each user within the data center, and create gaps or errors in the audit trail.

It can not integrate with other security systems, and provide limited verification and protection.

Therefore, an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center to improve traceability.

RFID Access Control Guide: 4 Best RFID Access Control Systems - ButterflyMX

Choosing Card Technology in 2023 | ICT

RFID Vs Magnetic Key Cards: What's The Difference? - Go Safer Security

RFID vs Barcode - Advantages, Disadvantages & Differences