Which of the following statements pertaining to access control is FALSE?

A.
Users should only access data on a need-to-know basis.

B.
If access is not explicitly denied, it should be implicitly allowed.

C.
Access rights should be granted based on the level of trust a company has on a subject.

D.
Roles can be an efficient way to assign rights to a type of user who performs certain tasks.

Explanation:
This answer is false as access control mechanisms should default to no access. The correct statement is that if
access is not explicitly allowed, it should be implicitly denied.
Incorrect Answers:A, C: Access rights should be granted to users based on their level of trust and their need-to-know.
D: Using roles is an effective method of assigning rights to a certain user who executes a specific task.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 203-206