An organization wants to ensure that employees that move to a different department within the organization do not retain access privileges from their former department. To this end, the organization has implemented role-based access control (RBAC). Which additional measure is MOST important to successfully limit excess access privileges?
To ensure employees who move departments do not retain access privileges from their former department, a business role review is crucial. This involves regularly evaluating and updating the roles assigned to employees to confirm they have the appropriate access for their current responsibilities. Conducting business role reviews helps prevent privilege creep by ensuring that access rights are adjusted as employees' roles and duties change.
I go with A Business role review is the most important additional measure to successfully limit excess access privileges when implementing RBAC
B is correct
A - to avoid privileges creeping
Answer C: Segregation of duties (SoD) review This isn't asking about RBAC. It's asking "Which ADDITIONAL MEASURE...." so after RBAC is implemented, the next step is Separation of Duties. Separation of Duties (SOD) is a fundamental security principle used to prevent fraud and detect errors [5]. Role Based Access Control (RBAC) provides organisations with a platform to implement this security principle. https://www.diva-portal.org/smash/get/diva2:832009/FULLTEXT01.pdf The wording on these questions tries to trick you. A business role review is part of the RBAC that they have "ALREADY implemented" per the question verbiage, so the business role review has already been completed/
Simply A
answer is c
SoD is focused on splitting roles into smaller chunks for separate people. Its focus is on preventing abuse of one person or being overly dependent on person. Its primary focus is not to evaluate if a person's role matches their duties. Therefore, I believe it is A. Business role review
I do not think that C (SoD review) is related to the original objective (not retain access privileges when moving departments) but it could be an additional measurement. A & B are a bit the same, but I prefer B (also approved by ChatGPT & Copilot). I really do not like this question.
Take a look at question 454 to gain a better understanding of the usecase of SOD and its review: it does not directly address the issue here
segregation or separation of duty aims to distribute task to multiple individual to prevent conflict of interest, fraud, errors, misuse. it does not directly address privilege creep. RBAC and reviews of privileges addresses this issue.
"Business role review," is also an important measure in the context of role-based access control (RBAC). However, the question specifically highlights the concern that employees who move to different departments do not retain access privileges from their previous departments. Business role review involves regularly evaluating and reviewing the roles assigned to users to ensure they remain appropriate and necessary. While relevant, Segregation of Duties (SoD) focuses more specifically on preventing an individual from having inappropriate combinations of roles that could lead to excess privileges. SoD helps prevent conflicts of interest and reduces risk by ensuring that certain critical functions are separated.
Answer A) Business Role Review Role Based Access Control is literally giving someone access according to the role they are in. You need to review these business roles and analysis if the access they have are still the right ones to have or should be adjusted if the business has changed. https://soterion.com/periodic-review-manager/#:~:text=Business%20Role%20Review
C. Segregation of Duties (SoD) review While business role reviews are important for aligning access privileges with an individual's current job responsibilities, segregation of duties (SoD) review is the most important additional measure to successfully limit excess access privileges in conjunction with role-based access control (RBAC). SoD review focuses on ensuring that no single individual is responsible for an entire transaction, thereby preventing the abuse of control and reducing the risk of fraudulent or unethical activities. It is an important element of many common audit, legal, and privacy regulation standards, such as HIPAA, SOX, GDPR, PCI, and SHIELD.
C) Performing a Segregation of Duties (SoD) review is the most important additional measure to limit excess access privileges when implementing Role-Based Access Control (RBAC). An SoD review analyzes user roles and access to ensure the same user does not have permissions that create a conflict of interest or control fraud opportunity. This catches privilege creep due to outdated role assignments. The other options are less effective: A) Business role reviews validate appropriate role design but won't catch outdated role assignments. B) Line manager role reviews are good but managers may lack context to identify SoD conflicts. D) An access control matrix details permissions but does not flag SoD violations.
B. At my job line managers do periodic access reviews and remove extra.
A review is key. SOD review is the only correct answer. Others don’t do anything.
IGA would typically involve access recert which goes to line manager