CERTIFIED-IN-CYBERSECURITY Question #529: Real Exam Question with Answer & Explanation

Question

In a healthcare organization, which of the following would be an example of the principle of least privilege?

Options

• APatients have the privilege to access other patients' data for comparison
• BHealthcare workers can only access the assets they need for their role and nothing more
• CAll doctors have access to all patient data regardless of whether they are their assigned doctor
• DAll healthcare workers can access all patient data to ensure efficient and premium service

Explanation

The statement "Healthcare workers can only access the assets they need to perform their roles and nothing more" is an example of the principle of least privilege, which states that users should have only the minimum access necessary to perform their jobs (see the ISC2 Study Guide, Chapter 3, Module 1). For example, a nurse should only have access to the medical records of the patients she is currently treating, while a billing clerk should only have access to billing information. The other options are incorrect because they do not follow the principle of least privilege. Allowing all healthcare workers or all physicians to access all patient information, regardless of their role or the patients they are treating, would violate this principle. Similarly, allowing patients to access other patients' data for comparison would not only violate the principle of least privilege, but would also likely violate privacy laws and regulations.

No community discussion yet for this question.