WGU C845 VUN1 Task 1 | Passed on First Attempt |Latest
Update with Complete Solution
VUN1 — VUN1 Task 1: Managing Security Operations and Access
Controls
Information Systems Security - C845
A. Apply an Access Control Model
A.1. Chosen Access Control Model
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC are:
• Role Assignment: A user is assigned to a role based on their job function (e.g., "Finance
Analyst").
• Permission Assignment: Permissions to perform operations on systems are assigned to roles,
not to individual users.
• Session Management: A user activates a role to gain the associated permissions for a session.
• Least Privilege: Users should only have the minimum level of access necessary to perform their
job duties.
The organization's access control structure, as seen in the user matrix, is implicitly role-based (e.g.,
"Finance manager," "HR coordinator"). Applying a formal RBAC model would streamline this by ensuring
permissions are strictly tied to business functions, reducing complexity and the potential for user error
when assigning permissions.
A.2. Four Misalignments with RBAC Principles
1. Misalignment 1: Privilege Escalation Beyond Role Scope
• Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges. A
junior role should not have the highest level of access in a Windows environment.
• Conflict with RBAC: This violates the principle of least privilege. The role "Junior system
admin" implies a subset of administrative duties, not unrestricted domain-wide control.
2. Misalignment 2: Unnecessary Access Across Departments
• Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a system
primarily for Sales and Support. A finance role typically does not require full modification
rights in a customer relationship system.
, • Conflict with RBAC: This violates least privilege and separation of duties. It allows for
potential data manipulation outside the user's core business function.
3. Misalignment 3: Violation of User-Role Assignment Post-Termination
• Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has an
"Active" account status and successfully logged in on 2025-06-29.
• Conflict with RBAC: RBAC requires timely revocation of role assignments upon a change
in employment status. An active session for a terminated user completely bypasses the
security provided by the role structure.
4. Misalignment 4: Overly Broad Privileged Access
• Description: The "IT administrator" (T. Miller) has "Full admin" access to "All internal
systems," and the log shows they made a firewall rule change without a ticket_id.
• Conflict with RBAC: While some access is necessary, blanket "Full admin" access
violates least privilege and impedes accountability. It does not segment duties within the
IT department itself.
A.3. Recommended Changes to Resolve Misalignments
1. Recommendation 1: Implement Privilege Tiering for Administrative Roles
• Justification: Following the CIS Control 5 (Account Management) and the principle of
least privilege, administrative accounts should be segregated. The "Junior system admin"
role should be assigned a more restricted set of privileges, such as "Server Operator" or
"Help Desk Administrator," which allows for daily tasks without granting domain-wide
control (NIST SP 800-53, AC-6).
2. Recommendation 2: Conduct a Role-Permission Review and Remediation
• Justification: Align with ISO/IEC 27001:2022, A.5.35 (Access control) by performing a
formal review of all role assignments. Remove access to systems like the CRM from the
"Finance analyst" role unless a compelling business justification exists. Access should be
based on documented job requirements.
3. Recommendation 3: Automate Access Revocation and Enforce Change Management
• Justification: Per NIST SP 800-53, AC-2 (Account Management), account revocation must
occur immediately upon termination. This should be an automated part of the HR
offboarding process. Furthermore, all changes, including firewall modifications, must
require a ticket ID for approval and auditing (CIS Control 10 - Malware Defenses, relying
on change management).
A.4. Revised User Role Matrix
The revised matrix reflects a stricter RBAC implementation. Key changes are bolded.
Role Assigned User System Access Privilege Level (Revised)
Finance Manager A. Jones Payroll system, budget Full access
tracker
Finance analyst L. Cheng Payroll system, budget Read and write (CRM
tracker access removed)
HR coordinator M. Singh HR portal, payroll system Read and write
Security Analyst K. Patel SIEM, network logs, Read only
firewall console
Update with Complete Solution
VUN1 — VUN1 Task 1: Managing Security Operations and Access
Controls
Information Systems Security - C845
A. Apply an Access Control Model
A.1. Chosen Access Control Model
I have chosen the Role-Based Access Control (RBAC) model. The principles of RBAC are:
• Role Assignment: A user is assigned to a role based on their job function (e.g., "Finance
Analyst").
• Permission Assignment: Permissions to perform operations on systems are assigned to roles,
not to individual users.
• Session Management: A user activates a role to gain the associated permissions for a session.
• Least Privilege: Users should only have the minimum level of access necessary to perform their
job duties.
The organization's access control structure, as seen in the user matrix, is implicitly role-based (e.g.,
"Finance manager," "HR coordinator"). Applying a formal RBAC model would streamline this by ensuring
permissions are strictly tied to business functions, reducing complexity and the potential for user error
when assigning permissions.
A.2. Four Misalignments with RBAC Principles
1. Misalignment 1: Privilege Escalation Beyond Role Scope
• Description: The "Junior system admin" (J. Lopez) has "Domain admin" privileges. A
junior role should not have the highest level of access in a Windows environment.
• Conflict with RBAC: This violates the principle of least privilege. The role "Junior system
admin" implies a subset of administrative duties, not unrestricted domain-wide control.
2. Misalignment 2: Unnecessary Access Across Departments
• Description: The "Finance analyst" (L. Cheng) has "Full access" to the CRM, a system
primarily for Sales and Support. A finance role typically does not require full modification
rights in a customer relationship system.
, • Conflict with RBAC: This violates least privilege and separation of duties. It allows for
potential data manipulation outside the user's core business function.
3. Misalignment 3: Violation of User-Role Assignment Post-Termination
• Description: The "HR assistant" (P. Ellis), who was terminated on 2025-05-20, has an
"Active" account status and successfully logged in on 2025-06-29.
• Conflict with RBAC: RBAC requires timely revocation of role assignments upon a change
in employment status. An active session for a terminated user completely bypasses the
security provided by the role structure.
4. Misalignment 4: Overly Broad Privileged Access
• Description: The "IT administrator" (T. Miller) has "Full admin" access to "All internal
systems," and the log shows they made a firewall rule change without a ticket_id.
• Conflict with RBAC: While some access is necessary, blanket "Full admin" access
violates least privilege and impedes accountability. It does not segment duties within the
IT department itself.
A.3. Recommended Changes to Resolve Misalignments
1. Recommendation 1: Implement Privilege Tiering for Administrative Roles
• Justification: Following the CIS Control 5 (Account Management) and the principle of
least privilege, administrative accounts should be segregated. The "Junior system admin"
role should be assigned a more restricted set of privileges, such as "Server Operator" or
"Help Desk Administrator," which allows for daily tasks without granting domain-wide
control (NIST SP 800-53, AC-6).
2. Recommendation 2: Conduct a Role-Permission Review and Remediation
• Justification: Align with ISO/IEC 27001:2022, A.5.35 (Access control) by performing a
formal review of all role assignments. Remove access to systems like the CRM from the
"Finance analyst" role unless a compelling business justification exists. Access should be
based on documented job requirements.
3. Recommendation 3: Automate Access Revocation and Enforce Change Management
• Justification: Per NIST SP 800-53, AC-2 (Account Management), account revocation must
occur immediately upon termination. This should be an automated part of the HR
offboarding process. Furthermore, all changes, including firewall modifications, must
require a ticket ID for approval and auditing (CIS Control 10 - Malware Defenses, relying
on change management).
A.4. Revised User Role Matrix
The revised matrix reflects a stricter RBAC implementation. Key changes are bolded.
Role Assigned User System Access Privilege Level (Revised)
Finance Manager A. Jones Payroll system, budget Full access
tracker
Finance analyst L. Cheng Payroll system, budget Read and write (CRM
tracker access removed)
HR coordinator M. Singh HR portal, payroll system Read and write
Security Analyst K. Patel SIEM, network logs, Read only
firewall console
