As a CISO working for a direct bank based in Taiwan that relies entirely on internet banking, you are collaborating with the Human Resources (HR) department to improve personnel security. Which of the following will you suggest to review first?
A. Role-based access control mechanisms
B. Background investigation procedures
C. Implementation of separation of duties
D. Effectiveness and correctness of job descriptions

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Effectiveness and correctness of job descriptions.

Job descriptions are the work product of job design. When conducting job design, it’s crucial to consider essential security principles such as separation of duties, least privileges, job rotation, mandatory vacation, and periodic background investigations.

Not every job position shall share the same level or rigorousness of background investigation. The background investigation for the first-line production worker is typically different from the one for the senior management.

Job descriptions provide input to the role assignment process that determines privileges in the role-based access control mechanism.