Role-based policy is an example of nondiscretionary access controls. Access control decisions are based on the roles individual users are taking in an organization. This includes the specification of duties, responsibilities, obligations, and qualifications (e.g., a teller or loan officer associated with a banking system).
Both identity-based and user-directed policies are examples of discretionary access control. It is a type of access control that permits subjects to specify the access controls with certain limitations. Identity-based access control is based only on the identity of the subject and object. User-directed control is a type of access control in which subjects can alter the access rights with certain restrictions.
214. The principle of least privilege refers to the security objective of granting users only those accesses they need to perform their job duties. Which of the following actions is inconsistent with the principle of least privilege?
a. Authorization creep
b. Re-authorization when employees change positions
c. Users have little access to systems
d. Users have significant access to systems
All the other three choices are incorrect because they are consistent with the principle of least privilege. Reauthorization can eliminate authorization creep, and it does not matter how many users have access to the system or how much access to the system as long as their access is based on need-to-know concept.
Permanent changes are necessary when employees change positions within an organization. In this case, the process of granting account authorizations occurs again. At this time, however, it is also important that access authorizations of the prior position be removed. Many instances of authorization-creep have occurred with employees continuing to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege, and it is security vulnerability.
215. Accountability is important to implementing security policies. Which of the following is
a. Auditing requirements
b. Password and user ID requirements
c. Identification controls
d. Authentication controls
216. Which of the following statement is
a. The registration authority and the credential service provider may be the same entity
b. The verifier and the relying party may be the same entity
c. The verifier, credential service provider, and the relying party may be separate entities
d. The verifier and the relying party may be separate entities