CISSP - 2018 Confusing questions

mr.indiamr.india Registered Users Posts: 3 ■■□□□□□□□□
Which Identity and access Management (IAM) process can be used to maintain the principle of least privilege?
A. Identity provisioning
B. Access recovery.
C. multi-factor (MFA)
D. User access Review

Comments

  • bjpeterbjpeter Member Posts: 198 ■■■□□□□□□□
    The answer should be D because a user access review would uncover users who have more privileges than they should have.
    2021 Goals (2): SSCP, eCPPT
    Achieved (27): Certified Associate in Python Programming, Microsoft Certified: Azure Fundamentals, PenTest+, Project+, CySA+, Flutter Certified Application Developer, OCP Java EE 7 Application Developer, CCSP, OCP Java SE 11 Developer, CISSP, Linux+/LPIC-1, CCSKv4, OCE Java EE 6 JPA Developer, CSSLP, Server+, Cloud+, Arcitura Certified Cloud Professional, CASP+, Mobility+, Storage+, Android Certified Application Developer, OCP Java SE 8 Programmer, Security+, OCM Java SE 6 Developer, B.S. and M.S. in Computer Science
  • Rom1984Rom1984 Registered Users Posts: 10 ■■□□□□□□□□
    I thought D too because the word maintains in the question suggests on-going correction and maintence of your user/system accounts. 

    But now I'm arguing with myself that it should be A and I can't decide! Here's my thinking;  

    I thought identity provisioning was about creating new credentials, assigning group membership etc. A good identity provisioning policy and procedure should ensure user accounts are only given the least amount of privileges required to do the job and thus the organisations maintains the principle of least privilege in there company.  This would be a better pick out of the four because it's a more pro-active option rather than D? 

    Should I have stuck with my first answer if D!? 
  • bjpeterbjpeter Member Posts: 198 ■■■□□□□□□□
    edited February 2019
    Rom1984 said:
    I thought D too because the word maintains in the question suggests on-going correction and maintence of your user/system accounts. 

    But now I'm arguing with myself that it should be A and I can't decide! Here's my thinking;  

    I thought identity provisioning was about creating new credentials, assigning group membership etc. A good identity provisioning policy and procedure should ensure user accounts are only given the least amount of privileges required to do the job and thus the organisations maintains the principle of least privilege in there company.  This would be a better pick out of the four because it's a more pro-active option rather than D? 

    Should I have stuck with my first answer if D!? 
    If the question used “establish” instead of “maintain”, I’d definitely pick A.

    But to me, maintain means an ongoing process, so a user access review will help with making sure or maintaining that a user has the least amount of privileges, hence D.
    2021 Goals (2): SSCP, eCPPT
    Achieved (27): Certified Associate in Python Programming, Microsoft Certified: Azure Fundamentals, PenTest+, Project+, CySA+, Flutter Certified Application Developer, OCP Java EE 7 Application Developer, CCSP, OCP Java SE 11 Developer, CISSP, Linux+/LPIC-1, CCSKv4, OCE Java EE 6 JPA Developer, CSSLP, Server+, Cloud+, Arcitura Certified Cloud Professional, CASP+, Mobility+, Storage+, Android Certified Application Developer, OCP Java SE 8 Programmer, Security+, OCM Java SE 6 Developer, B.S. and M.S. in Computer Science
  • Rom1984Rom1984 Registered Users Posts: 10 ■■□□□□□□□□
    Yep you've convinced me it's D bjpeter! To maintain surely means the on-going maintence, detection and correction of something. Need to nail down terms like 'establish' and 'maintain' so I can fully understand exactly what they are asking. Thanks for the clarification and help! 
  • bjpeterbjpeter Member Posts: 198 ■■■□□□□□□□
    Rom1984 said:
    Yep you've convinced me it's D bjpeter! To maintain surely means the on-going maintence, detection and correction of something. Need to nail down terms like 'establish' and 'maintain' so I can fully understand exactly what they are asking. Thanks for the clarification and help! 
    Read the question slowly and many times if you have to. When are you taking the exam? :)
    2021 Goals (2): SSCP, eCPPT
    Achieved (27): Certified Associate in Python Programming, Microsoft Certified: Azure Fundamentals, PenTest+, Project+, CySA+, Flutter Certified Application Developer, OCP Java EE 7 Application Developer, CCSP, OCP Java SE 11 Developer, CISSP, Linux+/LPIC-1, CCSKv4, OCE Java EE 6 JPA Developer, CSSLP, Server+, Cloud+, Arcitura Certified Cloud Professional, CASP+, Mobility+, Storage+, Android Certified Application Developer, OCP Java SE 8 Programmer, Security+, OCM Java SE 6 Developer, B.S. and M.S. in Computer Science
  • bjpeterbjpeter Member Posts: 198 ■■■□□□□□□□
    Rom1984 said:
    Yep you've convinced me it's D bjpeter! To maintain surely means the on-going maintence, detection and correction of something. Need to nail down terms like 'establish' and 'maintain' so I can fully understand exactly what they are asking. Thanks for the clarification and help! 
    Your question is an excellent case where two answers are definitely wrong or make no sense, one answer sounds good, and the other one is the best (and the correct answer).
    2021 Goals (2): SSCP, eCPPT
    Achieved (27): Certified Associate in Python Programming, Microsoft Certified: Azure Fundamentals, PenTest+, Project+, CySA+, Flutter Certified Application Developer, OCP Java EE 7 Application Developer, CCSP, OCP Java SE 11 Developer, CISSP, Linux+/LPIC-1, CCSKv4, OCE Java EE 6 JPA Developer, CSSLP, Server+, Cloud+, Arcitura Certified Cloud Professional, CASP+, Mobility+, Storage+, Android Certified Application Developer, OCP Java SE 8 Programmer, Security+, OCM Java SE 6 Developer, B.S. and M.S. in Computer Science
  • Rom1984Rom1984 Registered Users Posts: 10 ■■□□□□□□□□
    I did my SSCP about four months ago, then took a break over Christmas and started the EC-Council ECIH in Jan thinking it would help me towards the CISSP. What a mistake that was so stopped doing that and have jst started CISSP study. Ive got my eyes on May as the exam date 
  • bjpeterbjpeter Member Posts: 198 ■■■□□□□□□□
    Rom1984 said:
    I did my SSCP about four months ago, then took a break over Christmas and started the EC-Council ECIH in Jan thinking it would help me towards the CISSP. What a mistake that was so stopped doing that and have jst started CISSP study. Ive got my eyes on May as the exam date 
    I highly recommend the “Big Three” (imho) resources:

    1. Sybex 8th Edition
    2. Harris Practice Exams 5th Edition
    3. Boson Exam Simulator
    2021 Goals (2): SSCP, eCPPT
    Achieved (27): Certified Associate in Python Programming, Microsoft Certified: Azure Fundamentals, PenTest+, Project+, CySA+, Flutter Certified Application Developer, OCP Java EE 7 Application Developer, CCSP, OCP Java SE 11 Developer, CISSP, Linux+/LPIC-1, CCSKv4, OCE Java EE 6 JPA Developer, CSSLP, Server+, Cloud+, Arcitura Certified Cloud Professional, CASP+, Mobility+, Storage+, Android Certified Application Developer, OCP Java SE 8 Programmer, Security+, OCM Java SE 6 Developer, B.S. and M.S. in Computer Science
  • TeeDarling77TeeDarling77 Member Posts: 16 ■■■□□□□□□□
    This question is definitely tricky! But looking at it in a way, one can say that regular user entitlement and access reviews can discover excessive or creeping privileges. Through the process of access review, one can definitely maintain the principles of least privilege. "User Access Review" will be my choice here.....:)
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    BJPeter hit the nail on the head. I would recommend to take the time to review all the answers to see how the best fit answer the question and what outcomes that the answer drives. Ultimately the question is how to combat scope creep is through user account entitlement reviews as the other folks have pointed out. ISC2 wording has some tricky wording! Good luck OP with your studying. 
  • mikey88mikey88 Member Posts: 495 ■■■■■■□□□□
    edited February 2019
    Here's another one for you:

    Which of the following is the MOST important step in protecting sensitive information?
    A - Sanitization
    B - Storage
    C - Retention
    D - Labeling


    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

  • Rom1984Rom1984 Registered Users Posts: 10 ■■□□□□□□□□
    @mikey88 - labelling? Because to protect the data you've first got to classify it so you can distinguish what needs to be protected and at what level? 
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    edited February 2019
    Which of the following is the MOST important step in protecting sensitive information?
    A - Sanitization (End outcome: This is usually at the end of the data lifecycle when the data is not in use, so this is not applicable when the data is active or in use)
    B - Storage (End outcome: Not applicable in this context)
    C - Retention (End outcome: how long data is retained, its important but its not the best step to protecting data upfront)
    D - Labeling (Labeling is based on the classification scheme that the company is using, sets the policies and procedures on how the data is handled and protected)

    Cheers, 
  • mikey88mikey88 Member Posts: 495 ■■■■■■□□□□
    Yes that's correct. But just labeling the data without properly securing (storing) it will not protect it. Maybe could have been worded differently. Also, sensitive data doesn't mean its classified, i.e PII is sensitive.
    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    edited February 2019
    mikey88 said:
    Yes that's correct. But just labeling the data without properly securing (storing) it will not protect it. Maybe could have been worded differently. Also, sensitive data doesn't mean its classified, i.e PII is sensitive.
    That is true about the physical security and the storage technology behind it making it secure. Don't get me wrong, that plays a part in the securing data but its not the most important ones the ones listed. Assuming that you have the data protection policy in place, labeling the data is one of the important steps in securing the data. It so happens to be its one of first steps too. 
  • oscarmackoscarmack Member Posts: 8 ■■□□□□□□□□
    Which Identity and access Management (IAM) process can be used to maintain the principle of least privilege?
    A. Identity provisioning
    B. Access recovery.
    C. multi-factor (MFA)
    D. User access Review

    should be D.  No need to overthink, the words have been chosen carefully so answer just as you understand it.
  • UsualSuspect7UsualSuspect7 Member Posts: 97 ■■■□□□□□□□
    mr.india said:
    Which Identity and access Management (IAM) process can be used to maintain the principle of least privilege?
    A. Identity provisioning
    B. Access recovery.
    C. multi-factor (MFA)
    D. User access Review


    The emphasis is on "maintain"

    B & D
    - We all can eliminate.

    A
    - "provisioning"; if the question was asking about creating; I would say this would be correct; however the account has already been created and therefore; the questions is asking about maintaining.


    D
    - The Answer.
    - Question is asking about maintaining, D is talking about reviewing of an account.You can only review existing accounts.
    CISSP, CCENT, CCNA R/S, CCNA Cyber OPs, Security+, CySA+, PenTest+, Network+, Microsoft AZ-900, InsightVM CA
  • UsualSuspect7UsualSuspect7 Member Posts: 97 ■■■□□□□□□□
    mikey88 said:
    Here's another one for you:

    Which of the following is the MOST important step in protecting sensitive information?
    A - Sanitization
    B - Storage
    C - Retention
    D - Labeling



    Protecting sensitive information; interesting:


    A) Sanitization
    - the practice of removing sensitive information from the data.

    B)  Storage
    - The question is alluding to data being stored.

    C) Retention:
    - Duration of sensitive data being stored.

    D) Labeling:
    - Classification of data to determine what is sensitive and what's not. 
    - then* the classify the level of sensitive information.


    I think THe answer is D
    CISSP, CCENT, CCNA R/S, CCNA Cyber OPs, Security+, CySA+, PenTest+, Network+, Microsoft AZ-900, InsightVM CA
Sign In or Register to comment.