CISSP · Question #620
Individual access to a network is BEST determined based on
The correct answer is C. business need.. Network access control decisions should be driven by business need, following the principle of least privilege - users are granted only the access required to perform their job functions.
Question
Options
- Arisk matrix.
- Bvalue of the data.
- Cbusiness need.
- Ddata classification.
How the community answered
(55 responses)- A2% (1)
- C95% (52)
- D4% (2)
Why each option
Network access control decisions should be driven by business need, following the principle of least privilege - users are granted only the access required to perform their job functions.
A risk matrix is a tool used to evaluate and prioritize risks, not to make individual access decisions for specific users or accounts.
The value of data informs classification and protection strategies, but by itself does not determine who specifically should be granted access to a network resource.
Business need is the foundational principle behind least-privilege access control; access rights are granted based on what a user must do to fulfill their role, ensuring no excess permissions are assigned. This aligns with the 'need-to-know' and 'least privilege' security principles, which tie access directly to job function rather than technical or risk factors alone. Basing access on business need ensures accountability and minimizes the attack surface by limiting unnecessary entitlements.
Data classification helps define security controls and handling requirements for data categories, but individual access decisions must still be tied to a user's specific business need rather than classification alone.
Concept tested: Least privilege and need-to-know access control principle
Source: https://csrc.nist.gov/glossary/term/least_privilege
Topics
Community Discussion
No community discussion yet for this question.