The four major areas that you should consider when collecting and writing security requirements documents are:
User Management
Data Management
Access Control
Auditing
Select one (1) of these four areas and develop a report to management outlining and identifying the specific questions that would need to be asked and addressed in order to determine that adequate access controls are in place to mitigate the inherent risks associated with these major areas.
Please be sure that your paper not only lists the specific questions to be asked but, that you also identify which type of access control (see list below) that each question is designed to assess.
Access Controls
Administrative controls: Policies approved by management and passed down to staff, such as policies on password length.
Logical/technical controls: Control access to a computer system or network, such as a username and password combination
Hardware controls: Equipment that checks and validates IDs, such as a smart-card for or security token for multifactor authentication.
Software controls: Controls embedded in operating system and application software, such as NTFS permissions.
Physical controls: Control entry into buildings, parking lots, and protected areas, such as a lock on an office door.