CompTIA Security+ Question G-18

A company plans to expand by hiring new engineers who work in highly specialized areas. Each engineer will have very different job requirements and use unique tools and applications in their job. Which of the following is MOST appropriate to use?

A. Role-based privileges
B. Credential management
C. User assigned privileges
D. User access

Answer: A

In this question, we have engineers who require different tools and applications according to their specialized job function. We can therefore use the Role-Based Access Control model. Role-Based Access Control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no longer be available. Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to edit files” and “Denise is a member of the Editors group.” This model is always good for use in an environment in which there is high employee turnover.

CompTIA Security+ Question C-43

Ann has recently transferred from the payroll department to engineering. While browsing file shares, Ann notices she can access the payroll status and pay rates of her new coworkers. Which of the following could prevent this scenario from occurring?

A. Credential management
B. Continuous monitoring
C. Separation of duties
D. User access reviews

Answer: D

In addition to assigning user access properly, it is important to review that access periodically. Access review is a process to determine whether a user’s access level is still appropriate. People’s roles within an organization can change over time. It is important to review user accounts periodically and determine if they still require the access they currently have. An example of such a scenario would be a network administrator who was responsible for the domain controller but then moved over to administer the remote access servers. The administrator’s access to the domain controller should now be terminated. This concept of access review is closely related to the concept of least privileges. It is important that users do not have “leftover” privileges from previous job roles.