CISSP - 2018 Confusing questions

mr.india

Which Identity and access Management (IAM) process can be used to maintain the principle of least privilege?

A. Identity provisioning

B. Access recovery.

C. multi-factor (MFA)

D. User access Review

bjpeter

The answer should be D because a user access review would uncover users who have more privileges than they should have.

Rom1984

I thought D too because the word maintains in the question suggests on-going correction and maintence of your user/system accounts. 

But now I'm arguing with myself that it should be A and I can't decide! Here's my thinking;  

I thought identity provisioning was about creating new credentials, assigning group membership etc. A good identity provisioning policy and procedure should ensure user accounts are only given the least amount of privileges required to do the job and thus the organisations maintains the principle of least privilege in there company.  This would be a better pick out of the four because it's a more pro-active option rather than D? 

Should I have stuck with my first answer if D!? 

bjpeter

Rom1984 said:

I thought D too because the word maintains in the question suggests on-going correction and maintence of your user/system accounts. 

But now I'm arguing with myself that it should be A and I can't decide! Here's my thinking;  

I thought identity provisioning was about creating new credentials, assigning group membership etc. A good identity provisioning policy and procedure should ensure user accounts are only given the least amount of privileges required to do the job and thus the organisations maintains the principle of least privilege in there company.  This would be a better pick out of the four because it's a more pro-active option rather than D? 

Should I have stuck with my first answer if D!? 

If the question used “establish” instead of “maintain”, I’d definitely pick A.

But to me, maintain means an ongoing process, so a user access review will help with making sure or maintaining that a user has the least amount of privileges, hence D.

Rom1984

Yep you've convinced me it's D bjpeter! To maintain surely means the on-going maintence, detection and correction of something. Need to nail down terms like 'establish' and 'maintain' so I can fully understand exactly what they are asking. Thanks for the clarification and help! 

bjpeter

Rom1984 said:

Yep you've convinced me it's D bjpeter! To maintain surely means the on-going maintence, detection and correction of something. Need to nail down terms like 'establish' and 'maintain' so I can fully understand exactly what they are asking. Thanks for the clarification and help! 

Read the question slowly and many times if you have to. When are you taking the exam?

bjpeter

Rom1984 said:

Yep you've convinced me it's D bjpeter! To maintain surely means the on-going maintence, detection and correction of something. Need to nail down terms like 'establish' and 'maintain' so I can fully understand exactly what they are asking. Thanks for the clarification and help! 

Your question is an excellent case where two answers are definitely wrong or make no sense, one answer sounds good, and the other one is the best (and the correct answer).

Rom1984

I did my SSCP about four months ago, then took a break over Christmas and started the EC-Council ECIH in Jan thinking it would help me towards the CISSP. What a mistake that was so stopped doing that and have jst started CISSP study. Ive got my eyes on May as the exam date 

bjpeter

Rom1984 said:

I did my SSCP about four months ago, then took a break over Christmas and started the EC-Council ECIH in Jan thinking it would help me towards the CISSP. What a mistake that was so stopped doing that and have jst started CISSP study. Ive got my eyes on May as the exam date 

I highly recommend the “Big Three” (imho) resources:

1. Sybex 8th Edition
2. Harris Practice Exams 5th Edition
3. Boson Exam Simulator

TeeDarling77

This question is definitely tricky! But looking at it in a way, one can say that regular user entitlement and access reviews can discover excessive or creeping privileges. Through the process of access review, one can definitely maintain the principles of least privilege. "User Access Review" will be my choice here.....:)

DZA_

BJPeter hit the nail on the head. I would recommend to take the time to review all the answers to see how the best fit answer the question and what outcomes that the answer drives. Ultimately the question is how to combat scope creep is through user account entitlement reviews as the other folks have pointed out. ISC2 wording has some tricky wording! Good luck OP with your studying. 

mikey88

Here's another one for you:

Which of the following is the MOST important step in protecting sensitive information?
A - Sanitization
B - Storage
C - Retention
D - Labeling

Rom1984

@mikey88 - labelling? Because to protect the data you've first got to classify it so you can distinguish what needs to be protected and at what level? 

DZA_

Which of the following is the MOST important step in protecting sensitive information?
A - Sanitization (End outcome: This is usually at the end of the data lifecycle when the data is not in use, so this is not applicable when the data is active or in use)
B - Storage (End outcome: Not applicable in this context)
C - Retention (End outcome: how long data is retained, its important but its not the best step to protecting data upfront)
D - Labeling (Labeling is based on the classification scheme that the company is using, sets the policies and procedures on how the data is handled and protected)

Cheers, 

mikey88

Yes that's correct. But just labeling the data without properly securing (storing) it will not protect it. Maybe could have been worded differently. Also, sensitive data doesn't mean its classified, i.e PII is sensitive.

DZA_

mikey88 said:

Yes that's correct. But just labeling the data without properly securing (storing) it will not protect it. Maybe could have been worded differently. Also, sensitive data doesn't mean its classified, i.e PII is sensitive.

That is true about the physical security and the storage technology behind it making it secure. Don't get me wrong, that plays a part in the securing data but its not the most important ones the ones listed. Assuming that you have the data protection policy in place, labeling the data is one of the important steps in securing the data. It so happens to be its one of first steps too. 

oscarmack

Which Identity and access Management (IAM) process can be used to maintain the principle of least privilege?

A. Identity provisioning

B. Access recovery.

C. multi-factor (MFA)

D. User access Review

should be D.  No need to overthink, the words have been chosen carefully so answer just as you understand it.

UsualSuspect7

mr.india said:

Which Identity and access Management (IAM) process can be used to maintain the principle of least privilege?

A. Identity provisioning

B. Access recovery.

C. multi-factor (MFA)

D. User access Review

The emphasis is on "maintain"

B & D
- We all can eliminate.

A
- "provisioning"; if the question was asking about creating; I would say this would be correct; however the account has already been created and therefore; the questions is asking about maintaining.


D
- The Answer.
- Question is asking about maintaining, D is talking about reviewing of an account.You can only review existing accounts.

UsualSuspect7

mikey88 said:

Here's another one for you:

Which of the following is the MOST important step in protecting sensitive information?
A - Sanitization
B - Storage
C - Retention
D - Labeling

Protecting sensitive information; interesting:


A) Sanitization
- the practice of removing sensitive information from the data.

  Storage
- The question is alluding to data being stored.

C) Retention:
- Duration of sensitive data being stored.

D) Labeling:
- Classification of data to determine what is sensitive and what's not. 
- then* the classify the level of sensitive information.


I think THe answer is D