it is A for sure. If you have this account enable, you don't know how the third party manages the credentials or protects the computer or the keys. Then it is a security hole and it needs to be enable only during outages or big faults.

RBAC is the best answer. "Emergency" access - means active and available 24/7 - A is incorrect IMHO

Dont think it would be A, would you want to have to re-enable account access in the event of an emergency.

A is a better choice than C. Answer is clearly A here. RBAC limits the role of the vendor account. but not enabling it until when its needed is the best way to ensure it gets used properly most of the time.

A for attack surface reduction

A: Emergency accounts is commonly a type of temporary accounts that needs to be disabled when not in use. Many SRGs/STIGs require these accounts be accounted for and disabled in a timely manner when not actively needed.

"Emergency" should hopefully mean rarely used. If that's the case, then A. It could be a liability to give a third-party vendor RBAC access when they are rarely needed.

Vendors ( not partners) are usaully called upon in an adhoc basis to offer intermittant serivce These vendors are usually delegated certian RBAC access within an application and possibly within a database in support of the application or service that they are vendor of. The best way is to leave the account disabeld when not in use. Partners may have tools to monitor and authorization to provide on-going support an applications, vendors would not. Vendors are much more restricted.

Answer A) According to CIS (Center for Internet Security) a. Emergency Accounts: Emergency Accounts are intended for short-term use and include restrictions on creation, point of origin, and usage (i.e., time of day, day of week). SEs may establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts must be automatically disabled after 24 hours. https://www.cisecurity.org/wp-content/uploads/2020/06/Account-Management-Access-Control-Standard.docx

I'm going with C. RBAC as oppossed to A. Disabling until needed. My reason is becuase of the keyword "Emergency". Enabling a disabled account in time of an emergency can be time consuming and challenging whereas in the case of RBAC, the needed access is all set to go. Logically C. RBAC makes more sense. I believe the correct answer here is C.

A. it is an account that vendor support engineer login and an in house engineer will monitor while he is performing his support work. account is disabled once the job is completed. RBAC for everyone - 99% of the time unless its other type of access control.

A is my answer. It says use for emergency maintenance.

C is the Best. This is how you should think to get the answer, not the real-world application. You can only apply one answer, which one will protect it. If you protect the account during disable, what about when you need to enable it for an emergency? Without any RBAC on the vendor account, there is no control when you enable it. The CISSP exam doesn't like no control.

From: Cissp Certified Inf Systems Sec Prof Official Study Guide - 9th Edition. Account Access Review: Many administrators use scripts to check for inactive accounts periodically. For example, a script can locate accounts that users have not logged onto in the past 30 days and automatically disable them. Similarly, scripts can check group membership of privileged groups (such as administrator groups) and remove unauthorized accounts.

A is the answer. Even with RBAC, it only limits the permission of this account, but if you don't disable the account on time, risk will be always there.

Seriously you guys need to stop answering wrong / Correct answer is A: Vendor access should be disabled until needed is the best approach to protect vendor accounts that are used for emergency maintenance. Disabling vendor access until it is needed reduces the risk of unauthorized access or misuse of the vendor accounts

Role-based access control (RBAC) (Option C) can indeed be an effective measure for protecting vendor accounts used for emergency maintenance. RBAC allows organizations to assign specific roles and permissions to users or vendors based on their responsibilities and job functions. By implementing RBAC, organizations can control and restrict access to sensitive systems and resources, including vendor accounts. This helps ensure that vendors have only the necessary access privileges required to perform their emergency maintenance tasks and limits the potential for unauthorized access or misuse. RBAC enables organizations to define and enforce access policies, manage user permissions, and regularly review and update access rights based on changing needs and circumstances. It provides a structured approach to access control, reducing the risk of unauthorized actions by vendors during emergency maintenance. now i in my organization i use A and C, make sure to disable the account after they are done with the service