nerdexam
Cisco

350-401 · Question #459

Which design principle slates that a user has no access by default to any resource, and unless a resource is explicitly granted, it should be denied?

The correct answer is B. fail-safe defaults. Fail-safe defaults (B) is correct because this principle establishes that the default state for any resource is denial of access - access must be explicitly and intentionally granted, rather than explicitly revoked. This "deny by default, permit by exception" approach ensures tha

Submitted by takeshi77· Mar 6, 2026Security

Question

Which design principle slates that a user has no access by default to any resource, and unless a resource is explicitly granted, it should be denied?

Options

  • Aleast privilege
  • Bfail-safe defaults
  • Ceconomy of mechanism
  • Dcomplete mediation

How the community answered

(27 responses)
  • B
    96% (26)
  • C
    4% (1)

Explanation

Fail-safe defaults (B) is correct because this principle establishes that the default state for any resource is denial of access - access must be explicitly and intentionally granted, rather than explicitly revoked. This "deny by default, permit by exception" approach ensures that mistakes or omissions in configuration result in a secure (denied) state rather than an open one.

  • Least privilege (A) is wrong because it focuses on limiting users to only the permissions they need to perform their job, not on the baseline default state of access.
  • Economy of mechanism (C) is wrong because it refers to keeping security designs simple and small to reduce the attack surface and minimize errors.
  • Complete mediation (D) is wrong because it requires that every access request to every resource be checked and verified, rather than defining what the default access state should be.

Memory tip: Think of "fail-safe" like a locked door - if the system fails or no one has acted, the door stays safely locked. The default is always "no entry" unless someone explicitly unlocks it.

Topics

#Security principles#Access control#Fail-safe defaults#Default deny

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice