Exam CISM topic 1 question 212 discussion

Its B - Reason why its not A: Role-based access control is a critical security measure, but it might not prevent an insider who is already authorized from abusing their access privileges.

D I think

Best "defense" against a user who may become malicious after being hired and passed a background investigation, is RBAC. If the concern with RBAC is what if that user's role includes access to sensitive information, then normally you would have additional controls in place to mitigate that like context-based and time-limited access controls, logging and monitoring, and etc.

I was pro B, but now i reread the question, its not asking for what is best practices. its telling you users were ALREADY HIRED, what do we do now? which why its D. had it said oh what can we do to ensure insider threat is mitigated then yea B all the way, but its D since they are onboarded and hired. you are past background checks

D. Role based access control in thos case. There is another similar question that asks FIRST step and for that one is the background check/ screening. We should read carefully

This is the practical measure, employees screening is not applicabe sometimes

What if the insider has the access to the confidence data by his role, then the RBAC wont help.

QAE Paper version page 111 it has the answer, which is RBAC

Only B. RBAC does not help. What about one of the top management/board of directors is a bad guy. He has privileges to many important information at his manageable level.

D. Role-based access control (RBAC). Role-based access control is a security strategy that limits access to computer systems and data based on individuals' roles or job functions within an organization. It ensures that individuals only have access to the information and resources necessary for them to perform their job duties, and nothing more. This approach minimizes the potential for unauthorized access to sensitive data by limiting access privileges to only what is required for an individual's specific role.

D. Role-based access control

This is indeed a tough one. It could easily be B, as this has been reiterated in CISM and CISSP books. Also, background checks are preventative control. However, Hemang Doshi's CISM Exam prep guide (2nd Edition) book says the following: "The best way to protect confidential information from an insider threat is to provide access to confidential information on a need-toknow basis, that is, role-based access control. " So I'm going to go with D here, but I'm not 100% sure.

Again, this question makes it sound like the individuals have already been hired so I would go D. They need a clear indication in these questions if the individuals are already "working" in the company or not.

RBAC is not effective if malicious user's job involves accessing sensitive data. Background checks can't confirm employee's current behaviour. The only way to check is by doing regular audits hence A.

How can hiring mitigations be selected as best? Insider is someone already in the organization. D is the only reasonable answer!

D - Is the most logical and effective control here. Strong background check is only initia screening

The answer is D. Role-based access control B.Strong background check can not be the correct answer because this is an HR responsibility and also because someone had a positive background check doesn't guarantee that they will be a trustworthy employee. Also, employees change over time. I good and trustworthy employee today may not necessarily be a good and trustworthy employee tomorrow. People and situations do change and as such the best answer from the option is RBAC. It limits access privileges to only authorised individuals based on roles and responsibilities.