Ensuring least privilege does NOT require:

A.
Identifying what the user’s job is.

B.
Ensuring that the user alone does not have sufficient rights to subvert an important process.

C.
Determining the minimum set of privileges required for a user to perform their duties.

D.
Restricting the user to required privileges and nothing more.

Explanation:
Least privilege means an individual should have just enough permissions and rights to fulfill his role in the
company and no more. If an individual has excessive permissions and rights, it could open the door to abuse of
access and put the company at more risk than is necessary.
Ensuring least privilege requires the following:
Identifying what the user’s job is (and therefore what he needs to do).
Determining the minimum set of privileges required for a user to perform their duties.
Restricting the user to required privileges and nothing more.
Ensuring that the user alone does not have sufficient rights to subvert an important process is not a
requirement for least privilege. This is an example of separation of duties where it would take collusion between
two or more people to subvert the process.Incorrect Answers:
A: Ensuring least privilege does require identifying what the user’s job is to determine what he needs to do and
what permissions he needs to do it.
C: Determining the minimum set of privileges required for a user to perform their duties is a requirement for
ensuring least privilege.
D: Restricting the user to required privileges and nothing more is the definition of least privilege. This is
obviously a requirement for ensuring least privilege.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 1236