An organization is implementing a password management application which requires that all local administrator passwords be stored and automatically managed. Auditors will be responsible for monitoring activities in the application by reviewing the logs. Which of the following security controls is the BEST option to prevent auditors from accessing or modifying passwords in the application?
A. Time of day restrictions B. Create user accounts for the auditors and assign read-only access C. Mandatory access control D. Role-based access with read-only
Answer: D
Explanation: Auditors (employees performing the auditor role) will have access application by reviewing the logs. We can therefore assign access based on employee role. This is an example of Role-based access control (RBAC). To prevent the auditors from modifying passwords in the application, we need to ensure that they do not have write access. Therefore, you should assign only read access.
Role-Based Access Control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no longer be available. Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to edit files” and “Denise is a member of the Editors group.” This model is always good for use in an environment in which there is high employee turnover.