Exam CISSP topic 1 question 463 discussion

I go with A Business role review is the most important additional measure to successfully limit excess access privileges when implementing RBAC

The new line manager will not know what the previous role access is given to the person. So as a person moves between line managers they will go accumulating permissions. That is why a Business role review is key to RBAC

Line Manager review complements RBAC by ensuring that access are continuously aligned with job function

The line manager is typically responsible for overseeing the activities and responsibilities of employees in their department. A regular review of assigned roles by line managers ensures that employees have the appropriate access privileges for their current job functions and that any access rights associated with their former role are revoked. This ongoing review helps prevent employees from retaining unnecessary or excessive privileges after moving to a new department. While reviewing business roles is important for ensuring that roles align with organizational needs, it does not specifically address the need to remove excess privileges when an employee changes departments.

I go with B. Somebody has to review the ASSIGNED roles. What roles does the new employee have? Not A: That means to review the configuration of the roles in general not in particular wheather they are correct assigned on an employee account or not.

answer is c

SoD is focused on splitting roles into smaller chunks for separate people. Its focus is on preventing abuse of one person or being overly dependent on person. Its primary focus is not to evaluate if a person's role matches their duties. Therefore, I believe it is A. Business role review

I do not think that C (SoD review) is related to the original objective (not retain access privileges when moving departments) but it could be an additional measurement. A & B are a bit the same, but I prefer B (also approved by ChatGPT & Copilot). I really do not like this question.

Answer C: Segregation of duties (SoD) review This isn't asking about RBAC. It's asking "Which ADDITIONAL MEASURE...." so after RBAC is implemented, the next step is Separation of Duties. Separation of Duties (SOD) is a fundamental security principle used to prevent fraud and detect errors [5]. Role Based Access Control (RBAC) provides organisations with a platform to implement this security principle. https://www.diva-portal.org/smash/get/diva2:832009/FULLTEXT01.pdf The wording on these questions tries to trick you. A business role review is part of the RBAC that they have "ALREADY implemented" per the question verbiage, so the business role review has already been completed/

Take a look at question 454 to gain a better understanding of the usecase of SOD and its review: it does not directly address the issue here

segregation or separation of duty aims to distribute task to multiple individual to prevent conflict of interest, fraud, errors, misuse. it does not directly address privilege creep. RBAC and reviews of privileges addresses this issue.

"Business role review," is also an important measure in the context of role-based access control (RBAC). However, the question specifically highlights the concern that employees who move to different departments do not retain access privileges from their previous departments. Business role review involves regularly evaluating and reviewing the roles assigned to users to ensure they remain appropriate and necessary. While relevant, Segregation of Duties (SoD) focuses more specifically on preventing an individual from having inappropriate combinations of roles that could lead to excess privileges. SoD helps prevent conflicts of interest and reduces risk by ensuring that certain critical functions are separated.

Answer A) Business Role Review Role Based Access Control is literally giving someone access according to the role they are in. You need to review these business roles and analysis if the access they have are still the right ones to have or should be adjusted if the business has changed. https://soterion.com/periodic-review-manager/#:~:text=Business%20Role%20Review

C. Segregation of Duties (SoD) review While business role reviews are important for aligning access privileges with an individual's current job responsibilities, segregation of duties (SoD) review is the most important additional measure to successfully limit excess access privileges in conjunction with role-based access control (RBAC). SoD review focuses on ensuring that no single individual is responsible for an entire transaction, thereby preventing the abuse of control and reducing the risk of fraudulent or unethical activities. It is an important element of many common audit, legal, and privacy regulation standards, such as HIPAA, SOX, GDPR, PCI, and SHIELD.

C) Performing a Segregation of Duties (SoD) review is the most important additional measure to limit excess access privileges when implementing Role-Based Access Control (RBAC). An SoD review analyzes user roles and access to ensure the same user does not have permissions that create a conflict of interest or control fraud opportunity. This catches privilege creep due to outdated role assignments. The other options are less effective: A) Business role reviews validate appropriate role design but won't catch outdated role assignments. B) Line manager role reviews are good but managers may lack context to identify SoD conflicts. D) An access control matrix details permissions but does not flag SoD violations.

B. At my job line managers do periodic access reviews and remove extra.

A review is key. SOD review is the only correct answer. Others don’t do anything.