(ISC)2 Certified in Cybersecurity Practice Exam

What principle states that individuals should only have the minimum set of permissions necessary to carry out their job functions?

• A. Least privilege
• B. Two person control
• C. Job rotation
• D. Separation of privileges

The correct answer is: Least privilege

The principle of least privilege asserts that individuals should be granted the minimum level of access necessary to perform their job functions effectively. By adhering to this principle, organizations can significantly reduce the risk of unauthorized access to sensitive information or critical systems. This approach limits the potential damage that can occur from both internal and external threats, as users do not have more permissions than they require. Implementing least privilege requires careful consideration of roles and responsibilities within the organization, ensuring that access rights are assigned based on the principle of necessity. This practice mitigates risks such as accidental or intentional data breaches, as users are not able to access or manipulate data beyond their scope of work. The other concepts, while related to security and access control, focus on different mechanisms. Two-person control entails requiring two individuals to complete a critical task, promoting checks and balances. Job rotation refers to the practice of moving employees between different roles to prevent fraud and promote cross-training. Separation of privileges involves dividing access rights among multiple users to ensure that no single individual has complete control over a system or process. Each of these concepts contributes to a secure environment but does not specifically address the core idea of limiting permissions to the minimum necessary for job performance.