nerdexam
Isaca

CDPSE · Question #189

During the design of a role-based user access model for a new application, which of the following principles is MOST important to ensure data privacy is protected?

The correct answer is D. Need-to-know basis. Need-to-know basis is the correct answer because role-based access models are fundamentally about restricting data access to only what a user requires to perform their job function - this directly protects data privacy by minimizing unnecessary exposure of sensitive information.

Privacy Architecture

Question

During the design of a role-based user access model for a new application, which of the following principles is MOST important to ensure data privacy is protected?

Options

  • ASegregation of duties
  • BUnique user credentials
  • CTwo-person rule
  • DNeed-to-know basis

How the community answered

(33 responses)
  • A
    6% (2)
  • B
    3% (1)
  • C
    9% (3)
  • D
    82% (27)

Explanation

Need-to-know basis is the correct answer because role-based access models are fundamentally about restricting data access to only what a user requires to perform their job function - this directly protects data privacy by minimizing unnecessary exposure of sensitive information.

Why the distractors fall short:

  • A (Segregation of duties) addresses fraud prevention and operational control by splitting critical tasks across multiple people - valuable for compliance, but its goal is preventing abuse of actions, not limiting data visibility.
  • B (Unique user credentials) supports accountability and authentication, but having a unique login says nothing about what data that user can see - it's an identity control, not a privacy control.
  • C (Two-person rule) requires two authorized individuals to perform sensitive operations together - this is an integrity/safety control (common in high-stakes environments like nuclear), not a privacy design principle.

Memory tip: Think of it as the "nosy coworker" test - even a trusted, uniquely-identified employee with separate duties still shouldn't be able to browse HR records or finance data they don't need. The need-to-know principle is the one that stops that.

Topics

#RBAC#Least Privilege#Need-to-Know#Access Control Design

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice