An organization is implementing a new access control system based on the principle of least privilege. Which two of the following practices are essential to achieving least privilege? (Select TWO)
Regular reviews help maintain minimal permissions by revoking unnecessary access.
Why this answer
Option A is correct because regular permission reviews are essential to maintaining least privilege over time. Users' roles and responsibilities change, and without periodic audits, excessive permissions can accumulate, violating the principle. This aligns with the NIST SP 800-53 AC-6 control for least privilege, which requires organizations to review user access rights at defined intervals.
Exam trap
ISC2 often tests that candidates confuse the principle of least privilege with account management practices like enabling/disabling accounts, or mistakenly think starting with full access and restricting later is acceptable, when in fact least privilege requires a default-deny posture.