Читаем CISSP Practice полностью

Role-based policy is an example of nondiscretionary access controls. Access control decisions are based on the roles individual users are taking in an organization. This includes the specification of duties, responsibilities, obligations, and qualifications (e.g., a teller or loan officer associated with a banking system).

Both identity-based and user-directed policies are examples of discretionary access control. It is a type of access control that permits subjects to specify the access controls with certain limitations. Identity-based access control is based only on the identity of the subject and object. User-directed control is a type of access control in which subjects can alter the access rights with certain restrictions.

214. The principle of least privilege refers to the security objective of granting users only those accesses they need to perform their job duties. Which of the following actions is inconsistent with the principle of least privilege?

a. Authorization creep

b. Re-authorization when employees change positions

c. Users have little access to systems

d. Users have significant access to systems

214. a. Authorization creep occurs when employees continue to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege.

All the other three choices are incorrect because they are consistent with the principle of least privilege. Reauthorization can eliminate authorization creep, and it does not matter how many users have access to the system or how much access to the system as long as their access is based on need-to-know concept.

Permanent changes are necessary when employees change positions within an organization. In this case, the process of granting account authorizations occurs again. At this time, however, it is also important that access authorizations of the prior position be removed. Many instances of authorization-creep have occurred with employees continuing to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege, and it is security vulnerability.

215. Accountability is important to implementing security policies. Which of the following is least effective in exacting accountability from system users?

a. Auditing requirements

b. Password and user ID requirements

c. Identification controls

d. Authentication controls

215. b. Accountability means holding individual users responsible for their actions. Due to several problems with passwords and user IDs, they are considered to be the least effective in exacting accountability. These problems include easy to guess passwords, easy to spoof users for passwords, easy to steal passwords, and easy to share passwords. The most effective controls for exacting accountability include a policy, authorization scheme, identification and authentication controls, access controls, audit trails, and auditing.

216. Which of the following statement is not true in electronic authentication?

a. The registration authority and the credential service provider may be the same entity

b. The verifier and the relying party may be the same entity

c. The verifier, credential service provider, and the relying party may be separate entities

d. The verifier and the relying party may be separate entities

216. a. The relationship between the registration authority (RA) and the credential service provider (CSP) is a complex one with ongoing relationship. In the simplest and perhaps the most common case, the RA and CSP are separate functions of the same entity. However, an RA might be part of a company or organization that registers subscribers with an independent CSP, or several different CSPs. Therefore a CSP may be an integral part of RA, or it may have relationships with multiple independent RAs, and an RA may have relationships with different CSPs as well.