18. Explain why a control might not be applied (AC 4.4)

Why retina scan and a fingerprint should not be applied as a control to access sensitive information? The benefits of having 2FA (two Factor Authentication) is that we would ensure that only the authorised personnel can access the sensitive information. As there's very little there can be done to both fool a fingerprint scan and a retina scan. Contrary to what films make you believe. The negatives, and reasons why it shouldn't be applied in this scenario. Costs Retina scan machines can be incredibly expensive, anywhere from £2000 to £10000. And while fingerprint scanners have become much more common place in the last decade, they are still expensive. With each system, there might be associated fees, increasing the overall costs. Implementing said controls will also take a large amount of time as these are complex systems. They will require specialised, trained staff. And everyone who needs the access to the sensitive information would have to go trough the process of having their retinas and fingerprint scanned. Even though we value security above all else, this kind of control is over the top, and we would benefit from having the rest of our cyber security sufficiently upgraded to the same level. After all, security is only as strong as its weakest link. 2FA, of this kind would not be suitable for accessing sensitive information. There are more appropriate security controls that would suit this more. Such as granting the right privileges to the people that need access to the necessary files.