Regarding risk reduction, which of the following answers is BEST defined by the process of giving only just
enough access to information necessary for them to perform their job functions?

A.
Least Privilege Principle

B.
Minimum Privilege Principle

C.
Mandatory Privilege Requirement

D.
Implicit Information Principle

Explanation:
Least privilege means an individual should have just enough permissions and rights to fulfill his role in the
company and no more. If an individual has excessive permissions and rights, it could open the door to abuse ofaccess and put the company at more risk than is necessary. For example, if Dusty is a technical writer for a
company, he does not necessarily need to have access to the company’s source code. So, the mechanisms
that control Dusty’s access to resources should not let him access source code. This would properly fulfill
operations security controls that are in place to protect resources.
Incorrect Answers:
B: Minimum Privilege Principle is not the term defined by the process of giving only just enough access to
information necessary for them to perform their job functions.
C: Mandatory Privilege Requirement is not the term defined by the process of giving only just enough access to
information necessary for them to perform their job functions.
D: Implicit Information Principle is not the term defined by the process of giving only just enough access to
information necessary for them to perform their job functions.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1236