nerdexam
(ISC)2

CISSP · Question #441

When dealing with shared, privilaged accounts, especially those for emergencies, what is the BEST way to assure non-repudiation of logs?

The correct answer is B. implement a password vaulting solution.. Non-repudiation for shared privileged accounts requires tracking exactly who accessed credentials and when, which a password vaulting solution provides through session recording and credential checkout logging.

Submitted by zhang_li· Mar 5, 2026Identity and Access Management (IAM)

Question

When dealing with shared, privilaged accounts, especially those for emergencies, what is the BEST way to assure non-repudiation of logs?

Options

  • ARegularity change the passwords,
  • Bimplement a password vaulting solution.
  • CLock passwords in tamperproof envelopes in a safe.
  • DImplement a strict access control policy.

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    79% (19)
  • C
    8% (2)
  • D
    8% (2)

Why each option

Non-repudiation for shared privileged accounts requires tracking exactly who accessed credentials and when, which a password vaulting solution provides through session recording and credential checkout logging.

ARegularity change the passwords,

Regularly changing passwords improves security hygiene but does nothing to establish who used the account at any given time, providing no non-repudiation capability.

Bimplement a password vaulting solution.Correct

A password vaulting solution (Privileged Access Management/PAM) enforces individual accountability by requiring each user to check out credentials, recording who accessed the shared account, when, and what actions were taken during the session. This creates an auditable trail that ties specific individuals to actions performed under shared accounts, directly supporting non-repudiation even when multiple users share a single privileged account. Features like session recording and keystroke logging ensure that logs cannot be denied or disputed.

CLock passwords in tamperproof envelopes in a safe.

Locking passwords in tamperproof envelopes in a safe is a physical control that restricts access but creates no digital audit trail linking a specific individual to account usage, failing to support non-repudiation of logs.

DImplement a strict access control policy.

A strict access control policy defines rules and permissions but does not inherently provide the logging and individual attribution needed to prove who performed specific actions under a shared privileged account.

Concept tested: Privileged Access Management for non-repudiation of shared accounts

Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Topics

#privileged access management#non-repudiation#password vaulting#emergency accounts

Community Discussion

No community discussion yet for this question.

Full CISSP Practice