The largest potential risk in this scenario is the risk that the SAN administrator represents a “single point of failure.” Since only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN in his/her absence. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. If the SAN is securely configured, using hard zoning, logging and monitoring, and disabling of unused ports, no significant risk appears to exist regarding that configuration. However, the risk of a single administrator does exist (single point of failure and separation of duties issues). Hard zoning is more secure and is preferred to soft zoning. Zoning is used to separate different data sources from each other (for instance, to ensure that payroll and human resources [HR] data are stored separately from sales data). Hard zones are enforced by the infrastructure (in hardware) and are therefore more secure than soft zones, which are implemented in software or firmware. The question does not provide information regarding whether logs are reviewed in a timely manner and thus the IS auditor does not have enough information to determine whether this is a risk area.