Exam CISSP topic 1 question 406 discussion

D is correct. Reviewing ERP access profiles to enforce the least-privilege principle based on existing employee responsibilities is a good practice to ensure that employees have access only to the data and functionality they need to perform their job duties. However, it does not directly address SoD and may not be effective in preventing SoD violations.

D is correct. C is incorrect because it is really not doing anything to change anything from the current environment, thus by default, it cannot improve it.

the queationwas asking which one wuld best improve SoD. keyword-Improve. how to improve? first, Review ERP profiles basd on empoee responsibilities, also enforce extra menasure : least privilege. this is called improve. A&D - No improve, B- has MFA as extra measure but MFA was for authenticaiton. nothing to dowith SoD.

D. Review of employee responsibilities and ERP access profiles to differentiate mission activities from system support activities........seems to make more sense than C.

D is probably correct BUT D states specifics. I was advised in the CISSP course to go for general overall answers. C seems better since it's not as specific and mentions the right terms. Also, D lists mission and system support, but there are more duties that need to be separated. D also talks about reviewing duties and access in the ERP system, but the question only talks about ERP. It just seems like D is there to throw you off.

Although CISSP does like audits very much, an audit that covers access and activity (and not job functions) is probably not enough. Also independant team is somewhat vague. We need auditors for an audit, internal or external.

I agree with D, I was going with C but the word "existing" tells me previous or past tense, meaning that responsibilities could have changed and least privilege rule may cause issues. D shows an active real time analysis of current responsibilities matching job duties