Which of the following statements pertaining to access control is false?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed.
If access is not explicitly allowed, it should be implicitly denied.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 143).
Access control is a fundamental concept in information security that governs the management of access to resources in a computing environment. It is crucial to ensure that users have the right level of access to resources to perform their job duties without exposing sensitive data to unauthorized users. In this context, let's examine each of the statements and identify which one is false.
A. Users should only access data on a need-to-know basis. This statement is true. Need-to-know is a principle that limits access to sensitive information to only those individuals who require it to perform their job duties. By limiting access to sensitive data, the risk of data leakage is minimized, and the confidentiality of the data is preserved.
B. If access is not explicitly denied, it should be implicitly allowed. This statement is false. The principle of least privilege dictates that users should only have access to resources that are necessary to perform their job duties. All other access should be explicitly denied. Implicitly allowing access can create security vulnerabilities that can be exploited by attackers.
C. Access rights should be granted based on the level of trust a company has on a subject. This statement is true, to a certain extent. Access rights should be granted based on the level of trust that a company has in a subject's ability to handle sensitive data. For example, a company may grant access to sensitive data to an employee with a higher clearance level. However, this should not be the only factor in determining access rights. Other factors such as the principle of least privilege and the need-to-know principle should also be considered.
D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks. This statement is true. Roles are a commonly used mechanism to assign access rights to a type of user who performs certain tasks. For example, a role could be created for a database administrator who needs access to the company's databases. By assigning access rights to a role, the administrator can perform their duties without being granted access to resources that are outside their job scope.
In summary, the false statement pertaining to access control is B. If access is not explicitly denied, it should be implicitly allowed.