CompTIA Security+ (SY0-501) — Question 727

An organization wants to separate permissions for individuals who perform system changes from individuals who perform auditing of those system changes.
Which of the following access control approaches is BEST suited for this?

Answer options

• A. Assign administrators and auditors to different groups and restrict permissions on system log files to read-only for the auditor group.
• B. Assign administrators and auditors to the same group, but ensure they have different permissions based on the function they perform.
• C. Create two groups and ensure each group has representation from both the auditors and the administrators so they can verify any changes that were made.
• D. Assign file and folder permissions on an individual user basis and avoid group assignment altogether.

Correct answer: A

Explanation

Option A is correct because it effectively separates the roles of administrators and auditors, ensuring that auditors can only access logs without altering them. The other options either combine roles inappropriately, which can lead to conflicts of interest, or do not adhere to the principle of least privilege effectively.