Effective CISSP Questions

Which of the following contributes the least to preventing privilege creep?
A. Need-to-know
B. Least privileges
C. Discretionary access control
D. Change management

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Discretionary access control. 

Scope Creep and Privilege Creep

In project management, scope creep means “unauthorized and uncontrolled increases to project scope.” (ISO/TR 21506:2018) When it comes to security, privilege creep means unauthorized and uncontrolled increases to a user’s privileges.

In other words, privilege creep results from bad practices such that granting privileges (authorization) is not compliant with the principles of need-to-know and least privilege and the process of change management.

User Life Cycle

The following are some examples that may lead to privilege creep:

  1. An employee rotates positions over the years and his roles or privileges are not updated in time. On the contrary, they are accumulated and violated the need-to-know and least privilege principles in the end.
  2. In some cases, privileges are granted without review or approval or following the change management process.
  3. In rare cases, granting privileges may go wrong intentionally or unintentionally.

Privilege creep is typically resulted from violating principles, procedures, or processes. Administrative controls such as need-to-know, least privileges, training, and change management prevent privileges from creeping.

Change Management

Discretionary Access Control (DAC)

However, it may be to your surprise that discretionary access control (DAC), a technical control, is the source of privilege creep because technical solutions are employed and operated by people.

The DAC features that privileges can be passed on from one person to another. If a data owner authorized you to grant privileges to others, you can, for sure, do so. People with the same level of privileges granted by you can do so as well. This is prone to privilege creep.

Those who are entitled to grant privileges or charge of implementing authorization in a DAC-based system should follow the need-to-know and least privilege principles and change management process to prevent privileges from creeping.

TCB Access Control



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. 需要知道(need-to-know)
B. 最低特權(least privileges)
C. 隨意訪問控制(Discretionary access control)
D. 變更管理(Change management)


Leave a Reply