An asset owner is authorizing user access to resources. Which of the following is the most crucial element that determines the scope of a user’s privileges? (Wentz QOTD)
A. Job description
B. Access control matrix
C. Acceptable use policy (AUP)
D. Information security strategy
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Job description.
An asset owner should authorize user access to resources based on the principles of need-to-know and least privilege. The access control matrix is the technical mechanism of privilege container or repository configured by custodians based on asset owners’ authorization or management decisions.
Job Description (JD)
- A job description (JD) is “a written narrative that describes the general tasks, or other related duties, and responsibilities of a position.” (Wikipedia)
- The job description is a “list of specific or general tasks, or functions, and goals or responsibilities of a position, as well as organizational conditions under which those tasks and functions are to be performed.” (ISO 30405:2016)
Need-to-know
- Need-to-know refers to the “decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.” (CNSSI 4009-2015)
- Duty refers to responsibility or “a task or action that one is required to perform as part of one’s job.” (Google Dictionary)
Least Privilege
- The least privilege principle in the context of authorization is “a security principle that restricts the access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to the minimum necessary to perform their jobs.” (NIST SP 800-57 Part 2)
- When it comes to the security architecture, least privilege is “the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” (CNSSI 4009-2015)
Acceptable Use Policy (AUP)
An Acceptable Use Policy is an important document that can demonstrate due diligence with regards to the security of your IT network and the protection of sensitive data in the event of a breach or regulatory audit. This importantly protects the organisation from legal actions.
Sometimes referred to as an Internet Usage and E-mail Policy or Acceptable IT Use policy, an AUP policy provide statements as to what behaviour is acceptable from users that work in or are connected to a network.
Source: BioMelbourne Network
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
資產擁有者(owner)正在授權用戶訪問資源。 以下哪一項是確定用戶特權(privilege)範圍的最關鍵要素?(Wentz QOTD)
A. 職位描述
B. 存取控制矩陣
C. 可接受的使用政策 (AUP)
D. 資訊安全戰略