CERTIFIED-IN-CYBERSECURITY · Question #219
CERTIFIED-IN-CYBERSECURITY Question #219: Real Exam Question with Answer & Explanation
The correct answer is C: Need to know. Need to know is a principle that limits access to information to only those who require it to perform their job duties (see ISC2 Study Guide, Chapter 3, Module 1). This access is declined despite meeting the necessary security clearance because there is no business justification
Question
What security principle is being adhered to when a user's access request is declined, despite meeting the necessary security clearance, because there is no business justification for the access?
Options
- ASeparation of duties
- BTwo-person control
- CNeed to know
- DLeast privilege
Explanation
Need to know is a principle that limits access to information to only those who require it to perform their job duties (see ISC2 Study Guide, Chapter 3, Module 1). This access is declined despite meeting the necessary security clearance because there is no business justification for the access, which is an example of the least privilege security principle. Imagine we have an employee, John, who is a network administrator with a high-security clearance due to his job role. John requests access to a database containing sensitive HR records. Despite having the necessary security clearance, his access request is denied because his job as a network administrator does not require him to access HR records. Thus, there is no business justification for John to have access to this information. In this scenario, the company adheres to the Need to Know principle to restrict John's access. Two-person control is a security measure that requires two people to work together to complete a task. Separation of duties is the principle that separates certain job functions to reduce the risk of fraud or errors.
Topics
Community Discussion
No community discussion yet for this question.