nerdexam
(ISC)2

CISSP · Question #341

Due to system constraints, a group of system administrators must share a high-level access set of credentials. Which of the following would be MOST appropriate to implement?

The correct answer is C. A credential check-out process for a per-use basis. When shared privileged credentials are unavoidable, a credential check-out process ensures accountability by tracking who used the credentials, when, and for how long on a per-use basis.

Submitted by kev92· Mar 5, 2026Identity and Access Management

Question

Due to system constraints, a group of system administrators must share a high-level access set of credentials. Which of the following would be MOST appropriate to implement?

Options

  • AIncreased console lockout times for failed logon attempts
  • BReduce the group in size
  • CA credential check-out process for a per-use basis
  • DFull logging on affected systems

How the community answered

(37 responses)
  • A
    3% (1)
  • B
    11% (4)
  • C
    78% (29)
  • D
    8% (3)

Why each option

When shared privileged credentials are unavoidable, a credential check-out process ensures accountability by tracking who used the credentials, when, and for how long on a per-use basis.

AIncreased console lockout times for failed logon attempts

Increasing console lockout times for failed logon attempts reduces security rather than improving accountability, as it makes the system more permissive to brute-force attempts and does nothing to track who is using the shared credentials.

BReduce the group in size

Reducing the group size limits exposure but does not solve the core problem of shared credential accountability, as even a smaller group sharing credentials still lacks individual auditability and non-repudiation.

CA credential check-out process for a per-use basisCorrect

A credential check-out process implements a Privileged Access Management (PAM) control that assigns temporary, auditable access to shared credentials on a per-use basis. This maintains accountability even when credentials are shared, as each check-out is logged to a specific administrator with a timestamp, preserving a chain of custody. It directly addresses the risk of shared credentials by ensuring non-repudiation without requiring a complete architectural overhaul.

DFull logging on affected systems

Full logging on affected systems provides forensic data after the fact but does not control or attribute who checked out and used the shared credentials in real time, making it a detective rather than a preventive or accountability control.

Concept tested: Privileged Access Management and shared credential accountability

Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Topics

#Shared credentials#Privileged access management#Accountability#Credential management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice