Exam CISM topic 1 question 212 discussion

Its B - Reason why its not A: Role-based access control is a critical security measure, but it might not prevent an insider who is already authorized from abusing their access privileges.

D I think

D. Role-based access control: This is the most effective proactive control because it restricts an insider's ability to access or compromise confidential information in the first place, based on their job role and the principle of least privilege. According to IBM, RBAC helps defend against malicious insiders by limiting access to sensitive data and systems, making it harder for employees to maliciously or negligently misuse their access privileges to harm the organization.

RBAC limits access to information based on the roles of individual users within an organization, ensuring that employees only have access to the data necessary for their job functions12. This minimizes the risk of unauthorized access and potential misuse of sensitive information by insiders2. While the other options are also important components of a comprehensive security strategy, RBAC is particularly effective in preventing malicious insiders from accessing confidential information they do not need for their roles1.

B, insider might also have have the role to access the data

Best "defense" against a user who may become malicious after being hired and passed a background investigation, is RBAC. If the concern with RBAC is what if that user's role includes access to sensitive information, then normally you would have additional controls in place to mitigate that like context-based and time-limited access controls, logging and monitoring, and etc.

I was pro B, but now i reread the question, its not asking for what is best practices. its telling you users were ALREADY HIRED, what do we do now? which why its D. had it said oh what can we do to ensure insider threat is mitigated then yea B all the way, but its D since they are onboarded and hired. you are past background checks

D. Role based access control in thos case. There is another similar question that asks FIRST step and for that one is the background check/ screening. We should read carefully

This is the practical measure, employees screening is not applicabe sometimes

What if the insider has the access to the confidence data by his role, then the RBAC wont help.

QAE Paper version page 111 it has the answer, which is RBAC

Only B. RBAC does not help. What about one of the top management/board of directors is a bad guy. He has privileges to many important information at his manageable level.

D. Role-based access control (RBAC). Role-based access control is a security strategy that limits access to computer systems and data based on individuals' roles or job functions within an organization. It ensures that individuals only have access to the information and resources necessary for them to perform their job duties, and nothing more. This approach minimizes the potential for unauthorized access to sensitive data by limiting access privileges to only what is required for an individual's specific role.

D. Role-based access control

This is indeed a tough one. It could easily be B, as this has been reiterated in CISM and CISSP books. Also, background checks are preventative control. However, Hemang Doshi's CISM Exam prep guide (2nd Edition) book says the following: "The best way to protect confidential information from an insider threat is to provide access to confidential information on a need-toknow basis, that is, role-based access control. " So I'm going to go with D here, but I'm not 100% sure.

Again, this question makes it sound like the individuals have already been hired so I would go D. They need a clear indication in these questions if the individuals are already "working" in the company or not.

RBAC is not effective if malicious user's job involves accessing sensitive data. Background checks can't confirm employee's current behaviour. The only way to check is by doing regular audits hence A.