Exam N10-008 topic 1 question 239 discussion

The answer should be B. Separation of duties has to do with splitting tasks among employees to reduce the chance of one employee committing fraud. Least privilege is when you only provide employees with the account privileges they need to complete their work.

ChatGPT even says it's B.

Having access to managing the department you are apart of but not another department is an example of D. Separation of Duties.

The answer is B.

Separation of duties implies they are denied access, least privilege could be they have access but it’s limited.

Why would a systems operator need access to financial & project management applications?

Least privilege is keeping a minimum of privileges to users unless there is an absolute need to have that privilege given for whatever they are doing, this is a good method for initiating new employees to your company. Separation of Duties ensures that you don't give full control of every department of the company to others. You don't want your sales team to also have control over the other departments including finances, because this will create an imbalance of authority making sales numbers the only important factor to team decisions & development.

D. Separation of duties The security principle in use here is "Separation of duties." Separation of duties is a security concept that involves dividing tasks and privileges among multiple individuals or systems to prevent conflicts of interest and reduce the risk of unauthorized actions. In this case, the operator is granted access to specific applications and denied access to others to ensure that their role and responsibilities do not include access to financial and project management applications. This helps maintain security and prevents potential misuse of sensitive information or unauthorized actions.

B. Least privilege The principle of least privilege is being applied in this scenario, where the systems operator is granted access only to the specific applications required for their role and is denied access to unnecessary applications, such as financial and project management applications.

Separation of duties has to do with splitting tasks among employees to reduce the chance of one employee committing fraud. Least privilege is when you only provide employees with the account privileges they need to complete their work.

denied access by security means least privilege

B. Least privilege.

After thinking through, it is definitely least privilege. Because separation of duties is mostly about multiple people required to complete something (not same as 4 eyes principle) but separate functions and not same function.

Feels like separation of duties. There are 3 sentences here. First one boils down to "x person only gets access to applications they need to do their job" which feels entirely like least priv. Second sentence explicitly states they are being denied access to some things. I think the way the sentence is worded means, its meant to be interpreted such that the applications do exist and they are being used, presumably by someone else, which is more in line with separation of duties. I think if it was truly b, then there would be no need for a second sentence.

I asked ChatGPT and its response was Least privilege even though I thought it was Separation of duties, so I decided to argue a little bit. Me: Why is it not separation of duties? Since the operator is not allowed to access to the financial and project management applications, it means that financial applications can be accessed, for example, by the finance department or payroll department, while project management applications are accessible by only the project managers. Isn't it right? ChatGPT: You are correct in your understanding of the separation of duties principle, which involves dividing responsibilities among different individuals or departments to prevent a single person or group from having too much power or control over certain functions. However, the given scenario emphasizes the access control for a single systems operator, focusing on the specific applications they are granted or denied access to, which aligns more with the principle of least privilege. So, I guess it is a Least Privilege after all :/

B is the correct answer. Least privilege is a security principle which states that users should receive only the necessary rights and permissions needed to do their job. In this question, the systems operator has access to only what he needs to his job. A is incorrect because network access control is a security model that authenticates users before allowing them to connect to the network. It has nothing to do with providing rights and permissions once they have accessed the network. In this question, the systems operator is already authenticated into the network. C is incorrect because multifactor authentication is forcing a user to authenticate themselves with more than one factor. Again, like answer A, the systems operator is already authenticated, which means that he should have gone through multifactor authentication already. D is incorrect because separation of duties is a defense in depth concept in which no individual has complete knowledge of a task/project or complete control to a system; individuals are given "parts" of the solution. This question does not mention splitting assignments between individuals, so answer D is incorrect.

I think this is about separation of duties. Least privilege says that an employee should only have exactly those access rights that are necessary for his/her job role. While that can be taken to mean that a systems administrator should not have access to financial data, the BETTER interpretation here is that limiting access is about prevention of ethical conflicts - which is what separation of duties is about.