CompTIA Security Plus Mock Test Q992

Ann has recently transferred from the payroll department to engineering. While browsing file shares, Ann notices she can access the payroll status and pay rates of her new coworkers. Which of the following could prevent this scenario from occurring?

A. Credential management
B. Continuous monitoring
C. Separation of duties
D. User access reviews


Correct Answer: D
Section: Access Control and Identity Management

Explanation:
In addition to assigning user access properly, it is important to review that access periodically. Access review is a process to determine whether a user’s access level is still
appropriate. People’s roles within an organization can change over time. It is important to review user accounts periodically and determine if they still require the access they currently
have. An example of such a scenario would be a network administrator who was responsible for the domain controller but then moved over to administer the remote access servers.
The administrator’s access to the domain controller should now be terminated. This concept of access review is closely related to the concept of least privileges. It is important that
users do not have “leftover” privileges from previous job roles.

Incorrect Answers:
A: Credential management is the management or storage of usernames and passwords. Credential management would not prevent Ann from accessing the payroll files. Therefore,
this answer is incorrect.
B: Continuous monitoring implies an ongoing audit of what resources a user actually accesses. Continuous monitoring would enable you to see that Ann can access the payroll files. It
does not prevent access though. Therefore, this answer is incorrect.
C: Separation of duties policies are designed to reduce the risk of fraud and to prevent other losses in an organization by requiring more than one person to accomplish key processes.
Separation of duties would not prevent Ann from accessing the payroll files. Therefore, this answer is incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 154