WGU C845 VUN1 Task 1| Passed on First Attempt |Latest Update with
Complete Solution
Information Systems Security C845
VUN1 Task 1
A1.
The company should apply a role-based access control (RBAC) model to the
user role matrix. A role-based access control model grants privileges to
,subjects based on the duties or tasks of that subject (Willis 142-143). This
means it can separate privileges for different users according to their role
within the organization. For example, an auditor should be granted a “read
only” privilege to do their job, whereas an operations manager should have
full access to the organization’s systems. This model offers several
advantages, including least privilege and separation of duties, that would
benefit the organization outlined in the Security Operations Artifact.
However, most importantly for this organization, an RBAC model can revoke
privileges based on the duration of the role, meaning the time period during
which the role is valid (Willis 143).
The organization in question does not have a duration access control setting
applied to their current user role matrix. Implementing such a control
would revoke privileges that are still available to former employees, thereby
immediately enhancing the security of their systems. They also do not have
least privilege control implemented in their user matrix, which would give
each user the minimum level of privileges needed to fulfill their role in the
organization (Willis 31). The absence of this control, incidentally, has
granted a junior employee full domain administrator privilege. This kind of
master control over the system's domain should be reserved for a select few
and authorized management-level employees.
The company's Role Matrix indicates that they are attempting to utilize a
role-based model approach to their security, but it could be further refined.
A2.
Misalignment 1: A newly hired employee, J. Lopez, was hired for the role
of Junior System Administrator on 18 September 2023 and was given
Domain Administrator access to all internal systems.
Conflict with RBAC: This misalignment conflicts with a role-based access
control system because Lopez can access and modify nearly every aspect of
the domain and its controllers, despite being a junior-level employee who
should not have the managerial level of authority inherent in their junior
role in the organization.
Misalignment 2: P. Ellis was fired from the organization on 20 May 2025,
and they still retain “read and write” privileges to the Human Resources
portal and the payroll system.
Conflict with RBAC: This is extremely dangerous and is grossly misaligned
with the duration aspect of a role-based access control system. Once an
, employee has been terminated, their privileges should be revoked
immediately, as a disgruntled ex-employee can pose significant security
threats to an organization, especially if they still have access to the
organization's critical systems, such as payroll. Similarly, there are a few
other ex-personnel who still have access to various systems within the
organization. This misalignment conflicts with the role-based access control
system because the duration setting of a role-based access control system
would have revoked such privileges immediately after termination of their
internship, instead of leaving an exfiltration security risk as it has.
Misalignment 3: J. Hall, who is a customer support representative, has
access to the payroll system.
Conflict with RBAC: This misalignment conflicts with the role-based
access control system because the separation of duties aspect inherent in
RBAC would have restricted payroll access from an employee who is not in
a financial position or role.
Misalignment 4: M. Singh, who occupies the role of HR Coordinator, has
“read and write” access to the payroll system.
Conflict with RBAC: This access should be separated from the role that
Singh fills. Singh has appropriate access to the HR portal; however, in a
role-based access control model, the separation of duties principle dictates
that a person should not have permissions unrelated to the responsibilities
they need to fulfill in their role. HR does not require access to financial
portals.
A3.
Recommendation 1: Implementing a periodic review of user privileges,
inherent in a role-based access control system, would prevent users from
having access above their authorized level. It would significantly reduce the
possibility of exfiltration, as only a limited number of users can access
sensitive information and systems. Privileges may be temporarily granted
for the purpose of completing a task, but they should be revoked when no
longer required (NIST SP 800-53). For example, if a timely periodic review
of privileges had already been implemented in the organization's user
access matrix, then J. Lopez, a junior-level employee, would not have had
Domain Administrator access to all internal systems.
Justification: NIST SP 800-53 AC-6: Least Privilege – Review of User
Privileges. This standard specifies that an organization should periodically
Complete Solution
Information Systems Security C845
VUN1 Task 1
A1.
The company should apply a role-based access control (RBAC) model to the
user role matrix. A role-based access control model grants privileges to
,subjects based on the duties or tasks of that subject (Willis 142-143). This
means it can separate privileges for different users according to their role
within the organization. For example, an auditor should be granted a “read
only” privilege to do their job, whereas an operations manager should have
full access to the organization’s systems. This model offers several
advantages, including least privilege and separation of duties, that would
benefit the organization outlined in the Security Operations Artifact.
However, most importantly for this organization, an RBAC model can revoke
privileges based on the duration of the role, meaning the time period during
which the role is valid (Willis 143).
The organization in question does not have a duration access control setting
applied to their current user role matrix. Implementing such a control
would revoke privileges that are still available to former employees, thereby
immediately enhancing the security of their systems. They also do not have
least privilege control implemented in their user matrix, which would give
each user the minimum level of privileges needed to fulfill their role in the
organization (Willis 31). The absence of this control, incidentally, has
granted a junior employee full domain administrator privilege. This kind of
master control over the system's domain should be reserved for a select few
and authorized management-level employees.
The company's Role Matrix indicates that they are attempting to utilize a
role-based model approach to their security, but it could be further refined.
A2.
Misalignment 1: A newly hired employee, J. Lopez, was hired for the role
of Junior System Administrator on 18 September 2023 and was given
Domain Administrator access to all internal systems.
Conflict with RBAC: This misalignment conflicts with a role-based access
control system because Lopez can access and modify nearly every aspect of
the domain and its controllers, despite being a junior-level employee who
should not have the managerial level of authority inherent in their junior
role in the organization.
Misalignment 2: P. Ellis was fired from the organization on 20 May 2025,
and they still retain “read and write” privileges to the Human Resources
portal and the payroll system.
Conflict with RBAC: This is extremely dangerous and is grossly misaligned
with the duration aspect of a role-based access control system. Once an
, employee has been terminated, their privileges should be revoked
immediately, as a disgruntled ex-employee can pose significant security
threats to an organization, especially if they still have access to the
organization's critical systems, such as payroll. Similarly, there are a few
other ex-personnel who still have access to various systems within the
organization. This misalignment conflicts with the role-based access control
system because the duration setting of a role-based access control system
would have revoked such privileges immediately after termination of their
internship, instead of leaving an exfiltration security risk as it has.
Misalignment 3: J. Hall, who is a customer support representative, has
access to the payroll system.
Conflict with RBAC: This misalignment conflicts with the role-based
access control system because the separation of duties aspect inherent in
RBAC would have restricted payroll access from an employee who is not in
a financial position or role.
Misalignment 4: M. Singh, who occupies the role of HR Coordinator, has
“read and write” access to the payroll system.
Conflict with RBAC: This access should be separated from the role that
Singh fills. Singh has appropriate access to the HR portal; however, in a
role-based access control model, the separation of duties principle dictates
that a person should not have permissions unrelated to the responsibilities
they need to fulfill in their role. HR does not require access to financial
portals.
A3.
Recommendation 1: Implementing a periodic review of user privileges,
inherent in a role-based access control system, would prevent users from
having access above their authorized level. It would significantly reduce the
possibility of exfiltration, as only a limited number of users can access
sensitive information and systems. Privileges may be temporarily granted
for the purpose of completing a task, but they should be revoked when no
longer required (NIST SP 800-53). For example, if a timely periodic review
of privileges had already been implemented in the organization's user
access matrix, then J. Lopez, a junior-level employee, would not have had
Domain Administrator access to all internal systems.
Justification: NIST SP 800-53 AC-6: Least Privilege – Review of User
Privileges. This standard specifies that an organization should periodically
