Systems Security Certified Practitioner (SSCP) — Question 54

Which of the following statements pertaining to access control is false?

Answer options

• A. Users should only access data on a need-to-know basis.
• B. If access is not explicitly denied, it should be implicitly allowed.
• C. Access rights should be granted based on the level of trust a company has on a subject.
• D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.

Correct answer: B

Explanation

Option B is incorrect because access should not be automatically granted if it is not explicitly denied; the principle of least privilege dictates that access should be explicitly defined. The other options (A, C, and D) correctly reflect established access control principles that promote security and proper data handling.