Page 1552 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1552

Chapter 16: Managing Security Operations




                1.  C. Need to know is the requirement to have access to, knowledge

                    about, or possession of data to perform specific work tasks, but no
                    more. The principle of least privilege includes both rights and
                    permissions, but the term principle of least permission is not valid
                    within IT security. Separation of duties ensures that a single person
                    doesn’t control all the elements of a process. Role Based Access
                    Control (RBAC) grants access to resources based on a role.

                2.  D. The default level of access should be no access. The principle of

                    least privilege dictates that users should only be granted the level
                    of access they need for their job, and the question doesn’t indicate
                    that new users need any access to the database. Read access,
                    modify access, and full access grants users some level of access,
                    which violates the principle of least privilege.

                3.  C. A separation of duties policy prevents a single person from
                    controlling all elements of a process, and when applied to security

                    settings, it can prevent a person from making major security
                    changes without assistance. Job rotation helps ensure that multiple
                    people can do the same job and can help prevent the organization
                    from losing information when a single person leaves. Having
                    employees concentrate their talents is unrelated to separation of
                    duties.

                4.  B. Job rotation and separation of duties policies help prevent

                    fraud. Collusion is an agreement among multiple persons to
                    perform some unauthorized or illegal actions, and implementing
                    these policies doesn’t prevent collusion, nor does it encourage
                    employees to collude against an organization. They help deter and
                    prevent incidents, but they do not correct them.

                5.  A. A job rotation policy has employees rotate jobs or job
                    responsibilities and can help detect incidences of collusion and

                    fraud. A separation of duties policy ensures that a single person
                    doesn’t control all elements of a specific function. Mandatory
   1547   1548   1549   1550   1551   1552   1553   1554   1555   1556   1557