CCISO (712-50) Executive Decision Simulation
Executive Briefing
You are the CISO of a rapidly expanding healthcare technology company. The organization has been hiring aggressively to support a new product launch. On his first day, Michael, a newly hired Marketing Manager, logs into his corporate dashboard and discovers he has full administrative access to the central HR portal and read/write access to patient billing records.
Michael immediately reports this to the IT helpdesk. The CIO informs you that the IT department has been "cloning" the profiles of senior directors to provision new users quickly, attempting to meet aggressive onboarding KPIs set by the business.
Business Context
- Business Objective: Rapid scaling and frictionless employee onboarding.
- Risk Appetite: Zero tolerance for regulatory non-compliance (HIPAA, SOX) and data breaches.
- Strategic Mandate: Identity governance must enforce strict Segregation of Duties (SoD) without causing unacceptable delays in workforce productivity.
Decision Scenario
As the CISO, you must brief the executive committee on this incident. You cannot simply instruct IT to "fix Michael's account." You must articulate the exact governance failure that caused this issue so that structural changes to the onboarding lifecycle can be mandated and funded by the board.
Question
Michael starts a new job and discovers that he has unnecessary access to a variety of systems. Which of the following best describes the problem he has encountered?
Strategic Analysis
1. What is the real problem
The root cause is a broken Identity and Access Management (IAM) provisioning lifecycle. By prioritizing speed over security (cloning high-level profiles), IT has introduced massive insider threat vulnerabilities and direct violations of regulatory compliance frameworks.
2. Business vs security perspective
The business views onboarding speed as a critical productivity metric. Security views overly broad access as an existential threat. The CISO must implement Role-Based Access Control (RBAC) to standardize day-one access, providing the speed the business wants with the guardrails security requires.
3. Risk and impact analysis
When a user has access to systems outside their scope, the attack surface expands exponentially. If Michael's account is compromised via phishing, the attacker instantly gains access to HR and billing systems. Furthermore, this violates the Principle of Least Privilege, which will result in audit failures and regulatory fines.
4. Why correct answer is BEST (Option B)
Excessive privileges accurately describes a scenario where an individual is granted rights beyond what their job function requires. Because Michael is a *new* employee, this is a baseline provisioning failure—he was given an excessive initial scope of access on day one.
5. Why other options are weaker
A is incorrect: Rights collision occurs when an identity management system assigns conflicting rules (e.g., a "deny all" rule conflicting with an "allow" rule).
C is incorrect: Privilege creep happens when an employee accumulates access over a long period (e.g., changing departments but never having old access revoked). Michael is new, so he hasn't had time to "creep."
D is incorrect: Least privilege is the governance principle that *prevents* this scenario; it is the solution, not the problem.
6. MINI LESSON: Access Governance Principles
- Principle of Least Privilege (PoLP): Users should only be granted the minimum level of access necessary to perform their stated job duties.
- Provisioning vs. Deprovisioning: Both must be automated and audited. "Cloning" accounts is an anti-pattern that guarantees excessive privileges.
- Role-Based Access Control (RBAC): Access should be tied to a defined role (e.g., "Marketing Level 1"), not manually selected or copied from another individual.
Enhance Your Executive Leadership
Explore more CCISO simulations and master security governance, risk, and compliance.
View Executive Scenarios