CompTIA Security Plus Mock Test Q997

An organization is implementing a password management application which requires that all local administrator passwords be stored and automatically managed. Auditors will be responsible for monitoring activities in the application by reviewing the logs. Which of the following security controls is the BEST option to prevent auditors from accessing or modifying passwords in the application?

A. Time of day restrictions
B. Create user accounts for the auditors and assign read-only access
C. Mandatory access control
D. Role-based access with read-only

Correct Answer: D
Section: Access Control and Identity Management

Explanation:
Auditors (employees performing the auditor role) will have access application by reviewing the logs. We can therefore assign access based on employee role. This is an example of
Role-based access control (RBAC).
To prevent the auditors from modifying passwords in the application, we need to ensure that they do not have write access. Therefore, you should assign only read access.
Role-Based Access Control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or
by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no
longer be available.
Instead of thinking “Denise needs to be able to edit files,” RBAC uses the logic “Editors need to be able to edit files” and “Denise is a member of the Editors group.” This model is
always good for use in an environment in which there is high employee turnover.

Incorrect Answers:
A: Time of day restrictions restrict what time of day an application can be accessed; for example, during office hours only. This will not prevent auditors from accessing or modifying
passwords in the application. Therefore, this answer is incorrect.
B: The auditors will already have user accounts. Creating additional user accounts for the auditors would mean they have to manage multiple user accounts. This is not the best
solution. Therefore, this answer is incorrect.
C: Mandatory Access Control (MAC) allows access to be granted or restricted based on the rules of classification. MAC in corporate business environments involves the following four
sensitivity levels: Public, Sensitive, Private and Confidential. MAC assigns subjects a clearance level and assigns objects a sensitivity label. The name of the clearance level must be
the same as the name of the sensitivity label assigned to objects or resources. This is not the best solution for this question. Therefore, this answer is incorrect.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 151-152