After an audit, it was discovered that the security group memberships were not properly adjusted
for employees’ accounts when they moved from one role to another. Which of the following has
the organization failed to properly implement? (Select TWO).
A.
Mandatory access control enforcement.
B.
User rights and permission reviews.
C.
Technical controls over account management.
D.
Account termination procedures.
E.
Management controls over account management.
F.
Incident management and response plan.
Explanation:
Reviewing user rights and permissions can be used to determine that all groups, users, and other
accounts have the appropriate privileges assigned according to the policies of the corporation and
their job descriptions since they were all moved to different roles.
Control over account management would have taken into account the different roles that
employees have and adjusted the rights and permissions of these roles accordingly.
I think is “C” since technical controls involve: Identification and Authentication, Access control, Audit and Accountability and System and Communication protection
0
0
I agree with you Mike but I think the test will have E as the answer. Technical controls is real world but this test has nothing to do with real world 🙁
0
0
The answer does make sense for being E. because Management Controls would deal with risk assessments (in this case, an audit performed on user accounts) which identified risk factors of privilege creep. The previous questions are consistent with risk mitigating factors that concludes that it falls under the risk assessment category, in which falls under the Management control category. It’s outlined in any study material, but as I’ve read in the Get Certified, Get Ahead 401, Chapter 1.
0
0
Question says “After an audit” – doesn’t that mean they have already performed a user right and permission review. Because of this they have already discovered a privilege creep.
To prevent this from further occurring they can implement:
Management control over account management – ex: defining policies and procedures (what should be done when employees are moved from one role to another)
Technical control over account management – ex: least privilege
So, I think the answer is C and E. — Correct me if you think I’m wrong.
0
0
Sorry to disagree with the group but I think that the answer is A and C.
1. You are supposed to have account reviews to ensure that people have the correct level of permissions and those accounts are supposed to exist.–C is pretty clear.
2. The second one less so. We have people who have moved from one group to another but have continued to have the old permissions. Lets consider the options. This would occur less if the managers assigned individual permissions. In this case, you have a discretionary access control situation. Some managers might be good at this but most–so so. Most of the time, this is not a technical control situation. Scope creep is generally laziness and failure to follow through. Hard to stop stupidity or laziness. Mandatory access controls are rigid, inflexible control that should not permit a user to have more than least privilege necessary to to do their job. I think that A is the only other plausible answer.
0
0
But other access controls such as discretionary and role-based also don’t expect you to have privileges more than necessary. For me this question doesn’t even give me an indication that they use Mandatory Access Control.
0
0