WGU C845 VUN1 Task 1-3 Security Operations Management Solutions | Accurate & Verified Answers to
WGU C845 VUN1 Task 1 | Passed on First
Pass Actual Exam
Attempt |Latest Update with Complete Solution
VUN1 — VUN1 Task 1: Managing Security Operations and Access Controls
Information Systems Security - C845
A. Apply an Access Control Model
A.1. Chosen Access Control Model
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC are:
• Role Assignment: A user is assigned to a role based on their job function (e.g., "Finance
Analyst").
• Permission Assignment: Permissions to perform operations on systems are assigned to roles,
not to individual users.
• Session Management: A user activates a role to gain the associated permissions for a session.
• Least Privilege: Users should only have the minimum level of access necessary to perform their
job duties.
The organization's access control structure, as seen in the user matrix, is implicitly role-based (e.g.,
"Finance manager," "HR coordinator"). Applying a formal RBAC model would streamline this by ensuring
permissions are strictly tied to business functions, reducing complexity and the potential for user error
when assigning permissions.
A.2. Four Misalignments with RBAC Principles
1. Misalignment 1: Privilege Escalation Beyond Role Scope
• Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges. A
junior role should not have the highest level of access in a Windows environment.
• Conflict with RBAC: This violates the principle of least privilege. The role "Junior system
admin" implies a subset of administrative duties, not unrestricted domain-wide control.
2. Misalignment 2: Unnecessary Access Across Departments
• Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a system
, primarily for Sales and Support. A finance role typically does not require full modification
rights in a customer relationship system.
• Conflict with RBAC: This violates least privilege and separation of duties. It allows for
potential data manipulation outside the user's core business function.
3. Misalignment 3: Violation of User-Role Assignment Post-Termination
• Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has an
"Active" account status and successfully logged in on 2025-06-29.
• Conflict with RBAC: RBAC requires timely revocation of role assignments upon a change
in employment status. An active session for a terminated user completely bypasses the
security provided by the role structure.
4. Misalignment 4: Overly Broad Privileged Access
• Description: The "IT administrator" (T. Miller) has "Full admin" access to "All internal
systems," and the log shows they made a firewall rule change without a ticket_id.
• Conflict with RBAC: While some access is necessary, blanket "Full admin" access
violates least privilege and impedes accountability. It does not segment duties within the
IT department itself.
,A.3. Recommended nj Changes to Resolve Misalignments
nj nj nj
1. Recommendation 1:Implement njPrivilegeTieringforAdministrativeRoles
j
• Justification: njFollowing njthe njCIS njControl nj5 nj(Account njManagement) njand njthe
njprinciple njof
njleastprivilege,administrativeaccounts shouldbesegregated.The"Juniorsystemadmin"
j j
njrole njshouldnjbe njassigned njamorerestrictednjsetofprivileges, njsuch njas nj"Server
njOperator" njor nj"HelpnjDesk njAdministrator," njwhich njallows njfor njdaily njtasks njwithout
njgranting njdomain-wide njcontrol nj(NIST njSP nj800-53, njAC-6).
2. Recommendation 2:Conduct aRole-PermissionReview n j andRemediation
j j
• Justification: njAlign njwith njISO/IEC nj27001:2022, njA.5.35 nj(Access njcontrol) njby
njperforming nja njformal njreviewofall njrole njassignments.Remove njaccessto
njsystemslikethe njCRM njfrom njthe
nj"Financeanalyst"roleunlessacompellingbusinessjustificationexists.Accessshouldbe
j
njbased njon njdocumented njjob njrequirements.
3. Recommendation 3:AutomateAccess RevocationandEnforceChangeManagement
j j
• Justification:PerNISTSP800-53,AC-2(Account Management),accountrevocationmust
j
n j occur njimmediately njupon njtermination. njThis njshould njbe njan njautomated njpart njof njthe
njHR njoffboarding njprocess. njFurthermore, njall njchanges, njincluding njfirewall
njmodifications, njmust njrequirenjaticketnjIDnjfornjapprovalnjandna j uditingnj(CISnjControlnj10nj-
njMalwarenD j efenses,njrelying njon njchange njmanagement).
A.4. Revised User Role Matrix
nj nj nj
TherevisedmatrixreflectsastricterRBACimplementation.Keychangesare
j n j bolded.
Role AssignednjUser SystemAccess PrivilegeLevel(Revised)
FinancenjManager A.njJones Payrollsystem,budget Fullaccess
njtracker
Financeanalyst L.nC
j heng Payrollsystem,budget Readandwrite(CRM
njtracker njaccessnr
j emoved)
HRnjcoordinator M.Singh HRportal,payroll njsystem Readandwrite
SecuritynjAnalyst K.nP
j atel SIEM,networklogs, Readonly
njfirewallconsole
ITnjadministrator T.Miller Allinternalsystems Fulladmin
Juniorsystemadmin J.nLj opez Domaincontroller,all ServernO
j perator
njinternal njsystems nj(Domain
njAdmin
removed)
Customersupportrep R.njDavis CRM,nej mailnjserver Readonly
Customersupportrep J.nH
j all CRM,nej mailnjserver Read njonly nj(Payroll
systemaccess removed)
j
Externalauditor D.Nguyen Budgettracker Readonly
Marketing njmanager C.Wright Emailnjserver,njCRM Fullaccess
, HRnjassistant P.Ellis HRportal,payroll njsystem Readandwrite
BusinessAnalyst S.njKumar Budgettracker, njCRM Readonly
NetworkEngineer R.njLee Firewallconsole,VPN Admin
njgateway
ComplianceOfficer T.Nguyen Auditlogs,policy Readonly
njrepository
Contractor–ITnjAudit M.Brown SIEM,networklogs Readonly
PayrollnjSpecialist H.Alvarez Payrollnjsystem Readandwrite
Dataengineer E.nR
j omero Datawarehouse,SFTP WriteonETL paths
j
njgateway
Serviceaccount–nP
j ayroll Svc_payroll_etl SFTPgateway,np j ayroll Automation njtoken
njETL njsystemnjAPI
Vendorsupport – j Vendor_finapp VPNgateway,njfinance Localadminnjonnjapp
njFinancena
j pp njappns
j erver
Helpdesktechnician B.Ortiz Ticketing tool,ADusersnjand
j j Helpdeskadmin
njcomputers nj(passwordnjreset)
Read-onlyreporting Report_ro Budgettracker,finance Readonly
njreports
QAAnalyst J.nC
j arter Stagingwebapp,testnD j B DBreadandwrite
nj(staging)
FacilitiesCoordinator L.nSj mith Badgesystem,work Badgeadmin,nW
j Owrite
njordernjsystem
Intern-njMarketing P.Rivera Emailserver,sharedrive Readandwrite
nj(marketing) nj(marketing)
B. Evaluate Access Control Policies
nj nj nj
B.1. Three Policy Gaps or Inconsistencies
nj n j nj nj
1. Gap1:InadequateAccessReviewProcess.Policysection3statesreviewsoccur"asneeded"
n j withnnj onjdefinednjfrequencyno j rnjformalnp j rocess.nT
j hisnjleadsnjtonjprivilegecreepnjandnjstale
njaccess.
2. Gap nj2: njWeak njShared njAccount njManagement. njPolicy njsection nj7 njmandates njpassword
njrotation njfor
njsharedaccounts only"atleastannually,"whichisinsufficient.Italsoencouragessharedaccounts njto
j j
njlimit njlicense njcosts, njconflicting njwith njthe njprinciple njof njindividual njaccountability.
3. Gap3:DelayedAccessRevocation.Policysection8allowsforaccessrevocation"withinseven
njdays" njof njtermination. njThis njis nja njcritical njwindow njof njexposure, njas njevidenced njby njP. njEllis's
njpost- njterminationnjlogin.
B.2. RecommendedPolicyChanges
1. RecommendationforGap1:Updatepolicysection3tomandatequarterlyaccessreviewsforall j
njprivileged njroles njand njbi-annual njreviews njfor njall njuser njroles. njResults njmust njbe njsigned njoff
njby njdepartment njheads njand njsecurity.
WGU C845 VUN1 Task 1 | Passed on First
Pass Actual Exam
Attempt |Latest Update with Complete Solution
VUN1 — VUN1 Task 1: Managing Security Operations and Access Controls
Information Systems Security - C845
A. Apply an Access Control Model
A.1. Chosen Access Control Model
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC are:
• Role Assignment: A user is assigned to a role based on their job function (e.g., "Finance
Analyst").
• Permission Assignment: Permissions to perform operations on systems are assigned to roles,
not to individual users.
• Session Management: A user activates a role to gain the associated permissions for a session.
• Least Privilege: Users should only have the minimum level of access necessary to perform their
job duties.
The organization's access control structure, as seen in the user matrix, is implicitly role-based (e.g.,
"Finance manager," "HR coordinator"). Applying a formal RBAC model would streamline this by ensuring
permissions are strictly tied to business functions, reducing complexity and the potential for user error
when assigning permissions.
A.2. Four Misalignments with RBAC Principles
1. Misalignment 1: Privilege Escalation Beyond Role Scope
• Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges. A
junior role should not have the highest level of access in a Windows environment.
• Conflict with RBAC: This violates the principle of least privilege. The role "Junior system
admin" implies a subset of administrative duties, not unrestricted domain-wide control.
2. Misalignment 2: Unnecessary Access Across Departments
• Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a system
, primarily for Sales and Support. A finance role typically does not require full modification
rights in a customer relationship system.
• Conflict with RBAC: This violates least privilege and separation of duties. It allows for
potential data manipulation outside the user's core business function.
3. Misalignment 3: Violation of User-Role Assignment Post-Termination
• Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has an
"Active" account status and successfully logged in on 2025-06-29.
• Conflict with RBAC: RBAC requires timely revocation of role assignments upon a change
in employment status. An active session for a terminated user completely bypasses the
security provided by the role structure.
4. Misalignment 4: Overly Broad Privileged Access
• Description: The "IT administrator" (T. Miller) has "Full admin" access to "All internal
systems," and the log shows they made a firewall rule change without a ticket_id.
• Conflict with RBAC: While some access is necessary, blanket "Full admin" access
violates least privilege and impedes accountability. It does not segment duties within the
IT department itself.
,A.3. Recommended nj Changes to Resolve Misalignments
nj nj nj
1. Recommendation 1:Implement njPrivilegeTieringforAdministrativeRoles
j
• Justification: njFollowing njthe njCIS njControl nj5 nj(Account njManagement) njand njthe
njprinciple njof
njleastprivilege,administrativeaccounts shouldbesegregated.The"Juniorsystemadmin"
j j
njrole njshouldnjbe njassigned njamorerestrictednjsetofprivileges, njsuch njas nj"Server
njOperator" njor nj"HelpnjDesk njAdministrator," njwhich njallows njfor njdaily njtasks njwithout
njgranting njdomain-wide njcontrol nj(NIST njSP nj800-53, njAC-6).
2. Recommendation 2:Conduct aRole-PermissionReview n j andRemediation
j j
• Justification: njAlign njwith njISO/IEC nj27001:2022, njA.5.35 nj(Access njcontrol) njby
njperforming nja njformal njreviewofall njrole njassignments.Remove njaccessto
njsystemslikethe njCRM njfrom njthe
nj"Financeanalyst"roleunlessacompellingbusinessjustificationexists.Accessshouldbe
j
njbased njon njdocumented njjob njrequirements.
3. Recommendation 3:AutomateAccess RevocationandEnforceChangeManagement
j j
• Justification:PerNISTSP800-53,AC-2(Account Management),accountrevocationmust
j
n j occur njimmediately njupon njtermination. njThis njshould njbe njan njautomated njpart njof njthe
njHR njoffboarding njprocess. njFurthermore, njall njchanges, njincluding njfirewall
njmodifications, njmust njrequirenjaticketnjIDnjfornjapprovalnjandna j uditingnj(CISnjControlnj10nj-
njMalwarenD j efenses,njrelying njon njchange njmanagement).
A.4. Revised User Role Matrix
nj nj nj
TherevisedmatrixreflectsastricterRBACimplementation.Keychangesare
j n j bolded.
Role AssignednjUser SystemAccess PrivilegeLevel(Revised)
FinancenjManager A.njJones Payrollsystem,budget Fullaccess
njtracker
Financeanalyst L.nC
j heng Payrollsystem,budget Readandwrite(CRM
njtracker njaccessnr
j emoved)
HRnjcoordinator M.Singh HRportal,payroll njsystem Readandwrite
SecuritynjAnalyst K.nP
j atel SIEM,networklogs, Readonly
njfirewallconsole
ITnjadministrator T.Miller Allinternalsystems Fulladmin
Juniorsystemadmin J.nLj opez Domaincontroller,all ServernO
j perator
njinternal njsystems nj(Domain
njAdmin
removed)
Customersupportrep R.njDavis CRM,nej mailnjserver Readonly
Customersupportrep J.nH
j all CRM,nej mailnjserver Read njonly nj(Payroll
systemaccess removed)
j
Externalauditor D.Nguyen Budgettracker Readonly
Marketing njmanager C.Wright Emailnjserver,njCRM Fullaccess
, HRnjassistant P.Ellis HRportal,payroll njsystem Readandwrite
BusinessAnalyst S.njKumar Budgettracker, njCRM Readonly
NetworkEngineer R.njLee Firewallconsole,VPN Admin
njgateway
ComplianceOfficer T.Nguyen Auditlogs,policy Readonly
njrepository
Contractor–ITnjAudit M.Brown SIEM,networklogs Readonly
PayrollnjSpecialist H.Alvarez Payrollnjsystem Readandwrite
Dataengineer E.nR
j omero Datawarehouse,SFTP WriteonETL paths
j
njgateway
Serviceaccount–nP
j ayroll Svc_payroll_etl SFTPgateway,np j ayroll Automation njtoken
njETL njsystemnjAPI
Vendorsupport – j Vendor_finapp VPNgateway,njfinance Localadminnjonnjapp
njFinancena
j pp njappns
j erver
Helpdesktechnician B.Ortiz Ticketing tool,ADusersnjand
j j Helpdeskadmin
njcomputers nj(passwordnjreset)
Read-onlyreporting Report_ro Budgettracker,finance Readonly
njreports
QAAnalyst J.nC
j arter Stagingwebapp,testnD j B DBreadandwrite
nj(staging)
FacilitiesCoordinator L.nSj mith Badgesystem,work Badgeadmin,nW
j Owrite
njordernjsystem
Intern-njMarketing P.Rivera Emailserver,sharedrive Readandwrite
nj(marketing) nj(marketing)
B. Evaluate Access Control Policies
nj nj nj
B.1. Three Policy Gaps or Inconsistencies
nj n j nj nj
1. Gap1:InadequateAccessReviewProcess.Policysection3statesreviewsoccur"asneeded"
n j withnnj onjdefinednjfrequencyno j rnjformalnp j rocess.nT
j hisnjleadsnjtonjprivilegecreepnjandnjstale
njaccess.
2. Gap nj2: njWeak njShared njAccount njManagement. njPolicy njsection nj7 njmandates njpassword
njrotation njfor
njsharedaccounts only"atleastannually,"whichisinsufficient.Italsoencouragessharedaccounts njto
j j
njlimit njlicense njcosts, njconflicting njwith njthe njprinciple njof njindividual njaccountability.
3. Gap3:DelayedAccessRevocation.Policysection8allowsforaccessrevocation"withinseven
njdays" njof njtermination. njThis njis nja njcritical njwindow njof njexposure, njas njevidenced njby njP. njEllis's
njpost- njterminationnjlogin.
B.2. RecommendedPolicyChanges
1. RecommendationforGap1:Updatepolicysection3tomandatequarterlyaccessreviewsforall j
njprivileged njroles njand njbi-annual njreviews njfor njall njuser njroles. njResults njmust njbe njsigned njoff
njby njdepartment njheads njand njsecurity.
