Least Privilege is a security principle requiring that users, processes, and systems receive only the minimum permissions necessary to perform their functions. A database administrator needs database access but not necessarily access to financial systems. A web server process needs to read files but not modify system configurations.
Implementing least privilege reduces the attack surface and limits damage from compromised accounts or malware. When an attacker gains access through a limited account, they cannot immediately pivot to sensitive systems.
CISSP Relevance
Least Privilege appears across multiple domains but is emphasized in Domain 5 (Identity and Access Management) and Domain 7 (Security Operations). The exam tests understanding of how least privilege applies to user accounts, service accounts, applications, and administrative access. Questions often present scenarios where excessive permissions create security risks.
NIST documents this principle in their cybersecurity glossary.
Related terms: Access Control, Separation of Duties