In a defense-in-depth strategy, which access control mechanism provides the most granular control over user permissions?
ACLs provide fine-grained control over who can read, write, or execute individual files.
Why this answer
Access control lists (ACLs) on files provide the most granular control because they allow permissions to be set at the individual file or object level, specifying exactly which users or groups can read, write, execute, or modify that specific resource. This is in contrast to broader mechanisms like network segmentation or firewall rules, which operate at the network or subnet level and cannot distinguish between individual files within a system. ACLs are a fundamental component of discretionary access control (DAC) and are implemented in file systems such as NTFS, ext4, and ZFS.
Exam trap
ISC2 often tests the distinction between network-level controls (like firewall rules and segmentation) and system-level controls (like file ACLs), leading candidates to mistakenly choose a network mechanism when the question asks for the most granular control over user permissions on a resource.
How to eliminate wrong answers
Option A is wrong because network segmentation divides a network into smaller segments to limit lateral movement, but it does not control permissions on individual files or objects—it operates at Layer 2/3 and cannot enforce user-level granularity on a file. Option C is wrong because physical security controls (e.g., locks, biometrics, guards) protect the physical environment and assets, but they cannot differentiate between users accessing specific files on a system; they are a coarse, perimeter-level control. Option D is wrong because firewall rules filter traffic based on IP addresses, ports, and protocols at Layers 3/4 (and sometimes Layer 7), but they do not manage permissions on files or objects within an operating system—they control network access, not user permissions on resources.