An organization is implementing a password management application which requires that all local
administrator passwords be stored and automatically managed. Auditors will be responsible for
monitoring activities in the application by reviewing the logs. Which of the following security controls is
the BEST option to prevent auditors from accessing or modifying passwords in the application?

A.
Time of day restrictions

B.
Create user accounts for the auditors and assign read-only access

C.
Mandatory access control

D.
Role-based access with read-only

Explanation:
Auditors (employees performing the auditor role) will have access application by reviewing the logs. We
can therefore assign access based on employee role. This is an example of Role-based access control
(RBAC).
To prevent the auditors from modifying passwords in the application, we need to ensure that they do not
have write access. Therefore, you should assign only read access.
Role-Based Access Control (RBAC) models approach the problem of access control based on established
roles in an organization. RBAC models implement access by job function or by responsibility. Each
employee has one or more roles that allow access to specific information. If a person moves from one
role to another, the access for the previous role will no longer be available.
Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to
edit files” and “Denise is a member of the Editors group.” This model is always good for use in an
environment in which there is high employee turnover.
Incorrect Answers:A: Time of day restrictions restrict what time of day an application can be accessed; for example, during
office hours only. This will not prevent auditors from accessing or modifying passwords in the application.
Therefore, this answer is incorrect.
B: The auditors will already have user accounts. Creating additional user accounts for the auditors would
mean they have to manage multiple user accounts. This is not the best solution. Therefore, this answer is
incorrect.
C: Mandatory Access Control (MAC) allows access to be granted or restricted based on the rules of
classification. MAC in corporate business environments involves the following four sensitivity levels:
Public, Sensitive, Private and Confidential. MAC assigns subjects a clearance level and assigns objects a
sensitivity label. The name of the clearance level must be the same as the name of the sensitivity label
assigned to objects or resources. This is not the best solution for this question. Therefore, this answer is
incorrect.

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 151-152