CISSP · Question #341
Due to system constraints, a group of system administrators must share a high-level access set of credentials. Which of the following would be MOST appropriate to implement?
The correct answer is C. A credential check-out process for a per-use basis. When shared privileged credentials are unavoidable, a credential check-out process ensures accountability by tracking who used the credentials, when, and for how long on a per-use basis.
Question
Options
- AIncreased console lockout times for failed logon attempts
- BReduce the group in size
- CA credential check-out process for a per-use basis
- DFull logging on affected systems
How the community answered
(37 responses)- A3% (1)
- B11% (4)
- C78% (29)
- D8% (3)
Why each option
When shared privileged credentials are unavoidable, a credential check-out process ensures accountability by tracking who used the credentials, when, and for how long on a per-use basis.
Increasing console lockout times for failed logon attempts reduces security rather than improving accountability, as it makes the system more permissive to brute-force attempts and does nothing to track who is using the shared credentials.
Reducing the group size limits exposure but does not solve the core problem of shared credential accountability, as even a smaller group sharing credentials still lacks individual auditability and non-repudiation.
A credential check-out process implements a Privileged Access Management (PAM) control that assigns temporary, auditable access to shared credentials on a per-use basis. This maintains accountability even when credentials are shared, as each check-out is logged to a specific administrator with a timestamp, preserving a chain of custody. It directly addresses the risk of shared credentials by ensuring non-repudiation without requiring a complete architectural overhaul.
Full logging on affected systems provides forensic data after the fact but does not control or attribute who checked out and used the shared credentials in real time, making it a detective rather than a preventive or accountability control.
Concept tested: Privileged Access Management and shared credential accountability
Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Topics
Community Discussion
No community discussion yet for this question.