CISSP Q V1.4 DOMAIN 5 Identity and Access Management (IAM) COPY Flashcards
In order to give employees appropriate access rights, a company might choose to determine what tasks need to be accomplished, and then to define what access rights are necessary to accomplish said tasks. What type of access control system would most accurately fit this situation?
A. Rule-based access control and need-to-know.
B. Role-based access control.
C. Need-to-know and least privilege.
D. Non-discretionary access control.
B. Role-based access control.
Role-based access control means determining what people belong in what roles, and then defining what resources the people in these roles should be able to access. While (C) might be tempting, least privilege shouldn’t be considered an access control system.
What answer lists 3 control categories?
A. Preventative, physical, detective
B. Physical, administrative, technical
C. Deterrent, preventative, compensating
D. Administrative, directive, deterrent
C. Deterrent, preventative, compensating
What are the 7 control categories?
D
D
D
C
C
R
P
The 7 control categories (The 7 C’s) are directive, deterrent, detective, compensating, corrective, recovery, and preventative.
What are the 3 control types?
A
T or L
P
The 3 Types (3 T’s) are Administrative, Technical or Logical, and Physical.
Which of the following devices has an embedded microchip which can store enormous amounts of data, double as an access card for doors, and an authenticator for a computer?
A. Smart Card.
B. Proximity card, or “prox card.”
C. PIN card.
D. Magnetic-stripe Card.
A. Smart Card.
The clue in the question is “store enormous amounts of data.” A proximity card and a Mag Stripe card can be used as access cards for doors and even as an authentication mechanism for a computer, but neither can store enormous amounts of data. Pin cards can’t store enormous amounts of data, and also don’t typically open doors.
Which statement BEST describes an access control?
A. A hidden device that permits identity spoofing.
B. A deployment of encryption to protect
authorization systems.
C. A mechanism that helps protect systems by
controlling unauthorized user activities.
D. A systems device that records all user login
attempts.
C. A mechanism that helps protect systems by
controlling unauthorized user activities.
Which of the following operations security activities requires the least amount of training and experience?
A. Maintaining operational resilience.
B. Controlling user accounts.
C. Protecting valuable assets.
D. Managing security services effectively.
B. Controlling user accounts.
To create an effective access control system for your organization’s desktops, what must be created?
A. The company’s computer organizational placement chart.
B. A list that shows which users have requested special
permissions.
C. A set of firewall rules that either permit or deny different
computer systems access to specific services.
D. A set of Kerberos rules that the Kerberos Ticket Granting
Server (TGS) uses to allow users access to certain files.
C. A set of firewall rules that either permit or deny different
computer systems access to specific services.
Allowing differing computers to have differing levels of access to systems is normally done with Rule-based access control. Rule-based control for desktops is usually best done with firewall rule sets.
Which answer below contains two of the MOST accurate biometric systems?
A. Retinal scans and hand geometry.
B. Iris Scans and keystroke dynamics.
C. Fingerprint readers and facial recognition.
D. Iris scans and vascular pattern scans.
D. Iris scans and vascular pattern scans.
(D) is the correct answer. We are looking for the best combo. Retina and Iris scans are commonly agreed to be some of the best due to their high reliability and their low risk for compromise. That allows us to eliminate (C). Focusing on the second half of the combo then, keystroke dynamics isn’t in the same league as a hand scan, so eliminate (B). Between hand geometry and vascular patterns, vascular patterns is more reliable, so (D) is better than (A).
In the context of the Confidentiality, Integrity and Availability (CIA) triad, “Perfect availability” of a resource means which of the following?
A. Availability 24 hours a day, 7 days a week (24/7)
B. Availability whenever authorized users require access to the resource
in order to do their jobs.
C. Availability as appropriate to support the Business Continuity Plan
/ Disaster Recovery Plan (BCP/DR).
D. Full availability even to users in branch offices who have to remote in
to access said resources.
B. Availability whenever authorized users require access to the resource
in order to do their jobs.
In the student manual, availability is defined as “aim[ing] at ensuring that systems are up and running so that persons can use them when they are needed.” Leaving aside the issue that the need for availability extends beyond “systems,” note: “when they are needed.”
(A) would only be appropriate if the resource were needed 24/7.(C)does not extend far enough.(D) is a distractor. “Users in branch offices” need the same kind of availability that other “users” do.
If a system’s security goal is that no subject can gain access to any object without authorization, which of the following should be implemented?
A. The security kernel implementing the reference monitor concept.
B. The ring protection mechanism.
C. Virtual memory mapping and process isolation.
D. Correct management of memory and storage.
A. The security kernel implementing the reference monitor concept.
Answer (A) is correct. Answer (B) is too general, Answer (C) describes how applications work with the OS, and Answer (D) is a distractor.
