During a security audit, an analyst finds that a third-party vendor has access to sensitive customer data beyond what is necessary for their services. Which principle of least privilege should the policy enforce?
This policy limits vendor access to only necessary data.
Why this answer
The principle of least privilege means granting only the minimum rights needed. The policy should enforce a data classification and access control policy that restricts vendor access to only required data sets. Option C is correct.
Option A (end-user license agreement) is between vendor and customer. Option B (SLA) defines service levels. Option D (incident response) is after-the-fact.