nerdexam
(ISC)2

CISSP · Question #620

Individual access to a network is BEST determined based on

The correct answer is C. business need.. Network access control decisions should be driven by business need, following the principle of least privilege - users are granted only the access required to perform their job functions.

Submitted by ashley.k· Mar 5, 2026Identity and Access Management

Question

Individual access to a network is BEST determined based on

Options

  • Arisk matrix.
  • Bvalue of the data.
  • Cbusiness need.
  • Ddata classification.

How the community answered

(55 responses)
  • A
    2% (1)
  • C
    95% (52)
  • D
    4% (2)

Why each option

Network access control decisions should be driven by business need, following the principle of least privilege - users are granted only the access required to perform their job functions.

Arisk matrix.

A risk matrix is a tool used to evaluate and prioritize risks, not to make individual access decisions for specific users or accounts.

Bvalue of the data.

The value of data informs classification and protection strategies, but by itself does not determine who specifically should be granted access to a network resource.

Cbusiness need.Correct

Business need is the foundational principle behind least-privilege access control; access rights are granted based on what a user must do to fulfill their role, ensuring no excess permissions are assigned. This aligns with the 'need-to-know' and 'least privilege' security principles, which tie access directly to job function rather than technical or risk factors alone. Basing access on business need ensures accountability and minimizes the attack surface by limiting unnecessary entitlements.

Ddata classification.

Data classification helps define security controls and handling requirements for data categories, but individual access decisions must still be tied to a user's specific business need rather than classification alone.

Concept tested: Least privilege and need-to-know access control principle

Source: https://csrc.nist.gov/glossary/term/least_privilege

Topics

#access control#least privilege#business need#need-to-know

Community Discussion

No community discussion yet for this question.

Full CISSP Practice