Which statement best describes coverage of access control on system components?

• A. Implement access control on critical servers only
• B. Verify that access control is configured for network devices only
• C. Confirm that access control systems are in place on all system components
• D. Ignore access control for non-network endpoints

Answer: (C)

Coverage of access control means applying authentication and authorization controls to every device and component that stores, processes, or transmits cardholder data, as well as every component that supports those systems. The best choice states that access control systems are in place on all system components, which eliminates gaps that could be exploited on endpoints, workstations, servers, network devices, or other parts of the environment. Limiting coverage to only critical servers or only network devices leaves areas unprotected and could allow unauthorized access to systems that still influence security. Ignoring non-network endpoints would create entry points and undermine accountability. So, comprehensive coverage across all system components is the right approach.