A comprehensive program for controlling access to the computer equipment, computer programs, and data is an important control. In evaluating the comprehensiveness of an access policy, the auditor considers both physical and data access (that is, access to data by gaining access to computer files through the computer).

Required
a. Identify questions the auditor might ask regarding the physical controls over access to the equipment and computer documentation.
b. Identify the three main ways an access control program can authenticate a user. What are the advantages and disadvantages of each approach?
c. What are the risks in using a physical identifier such as a retinal scan or a fingerprint as the major approach to authenticating users? What are the implications to the user if the authentication is compromised?
d. Assume that a client has software that does a good job in authenticating users. Explain how an access matrix works and the importance of developing an access matrix for security. Explain how users and access should be matched on a matrix.