nerdexam
CompTIA

SY0-301 · Question #42

Privilege creep among long-term employees can be mitigated by which of the following procedures?

The correct answer is A. User permission reviews. Privilege creep occurs when employees accumulate permissions over time beyond what their current role requires, and periodic user permission reviews directly identify and revoke those excess rights.

Security operations

Question

Privilege creep among long-term employees can be mitigated by which of the following procedures?

Options

  • AUser permission reviews
  • BMandatory vacations
  • CSeparation of duties
  • DJob function rotation

How the community answered

(33 responses)
  • A
    91% (30)
  • B
    3% (1)
  • D
    6% (2)

Why each option

Privilege creep occurs when employees accumulate permissions over time beyond what their current role requires, and periodic user permission reviews directly identify and revoke those excess rights.

AUser permission reviewsCorrect

User permission reviews, also called access recertification or entitlement reviews, systematically compare each user's current permissions against their job role and remove any accumulated, unnecessary access. This directly addresses privilege creep by periodically resetting privileges to the least-privilege baseline required for the current function.

BMandatory vacations

Mandatory vacations are a fraud-detection control that expose actions only one person could perform, not a mechanism for removing accumulated permissions.

CSeparation of duties

Separation of duties divides critical tasks among multiple people but does not identify or revoke permissions a user has gathered over time.

DJob function rotation

Job function rotation moves employees between roles but does not automatically audit or revoke permissions accumulated from previous positions.

Concept tested: Mitigating privilege creep through access recertification

Source: https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Topics

#privilege creep#user permission reviews#least privilege#identity management

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice