19.  D. The principle of least privilege was violated because he retained
                    privileges from all his previous administrator positions in different

                    divisions. Implicit deny ensures that only access that is explicitly
                    granted is allowed, but the administrator was explicitly granted
                    privileges. While the administrator’s actions could have caused loss
                    of availability, loss of availability isn’t a basic principle. Defensive
                    privileges aren’t a valid security principle.

              20.  D. Account review can discover when users have more privileges

                    than they need and could have been used to discover that this
                    employee had permissions from several positions. Strong
                    authentication methods (including multifactor authentication
                    methods) would not have prevented the problems in this scenario.
                    Logging could have recorded activity, but a review is necessary to
                    discover the problems.