PrepAway - Latest Free Exam Questions & Answers

Which of the following is not true of authorization creep?

Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?

PrepAway - Latest Free Exam Questions & Answers

A.
Users have a tendency to request additional permissions without asking for others to be taken away.

B.
It is a violation of “least privilege.”

C.
It enforces the “need-to-know” concept.

D.
It commonly occurs when users transfer to other departments or change positions.

Explanation:
C: The “need-to-know” concept is based on the idea that users are only given access rights to resources that they need in order to fulfill their job responsibilities. If access is
not explicitly allowed, it should be implicitly denied. Instead of giving access to everything, and then taking privileges away based on “need-to-know,” the better approach is to
start with nothing and add privileges based on need to know. Authorization creep is contrary to this concept. It is about the accumulation of access rights over time, particularly
those that the user does not have a need to know.
A is incorrect because it correctly describes a cause of authorization creep and the question asks which statement is not true. Authorization creep often occurs due to users’
tendency to request additional permissions without asking for others to be taken away. As a result, users have far more access rights and permissions than they require. This
can pose a significant risk because too many users have too much privileged access to company assets.
B is incorrect because authorization creep is a violation of “least privilege” and the question asks which statement is not true. Least privilege is a principle that states users
should be given the least amount of privileges necessary to be productive when carrying out tasks. Enforcing least privilege on user accounts should be an ongoing job, which
means each user’s permissions should be reviewed to ensure the company is not putting itself at risk.
D is incorrect because it correctly describes a cause of authorization creep, and the question asks which statement is not true. When users transfer to other departments or
change positions, they are often assigned more access rights and permissionsfar more than they need to get their jobs done. These rights and permissions are commonly
added to their original ones, and their access to resources can be too vast and dangerous.


Leave a Reply