Domain 5 - Identity & Access Management

Question 1

1. Authentication is…
   A. the assertion of a unique identity for a person or system.
   B. the process of verifying the identity of the user.
   C. the process of defining the specific resources a user needs and determining the type of access to those resources the user may have.
   D. the assertion by management that the user should be given access to a system.

Answer 1

B

Question 2

2. Which best describes access controls?

A. Access controls are a collection of technical controls that permit access to authorized users, systems, and applications.
B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.
C. Access control is the employment of encryption solutions to protect authentication information during log-on.
D. Access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers.

Answer 2

B

Question 3

3. _______ requires that a user or process be granted access to only those resources necessary to perform assigned functions.

A. Discretionary access control
B. Separation of duties
C. Least privilege
D. Rotation of duties

Answer 3

C

Question 4

4. What are the seven main categories of access control?

A. Detective, corrective monitoring, logging, recovery, classification, and directive
B. Directive, deterrent, preventative, detective, corrective, compensating, and recovery
C. Authorization, identification, factor, corrective privilege, detective, and directive
D. Identification, authentication, authorization, detective, corrective, recovery, and directive

Answer 4

B

Question 5

5. What are the three types of access control?

A. Administrative, physical, and technical
B. Identification, authentication, and authorization
C. Mandatory, discretionary, and least privilege
D. Access management, and monitoring

Answer 5

A

Question 6

6. What are types of failures in biometric identification systems? (Choose ALL that apply)

A. False reject
B. False positive
C. False accept
D. False negative

Answer 6

A|C

Question 7

7. What best describes two-factor authentication?

A. A hard token and a smart card
B. A user name and a PIN
C. A password and a PIN
D. A PIN and a hard token

Answer 7

D

Question 8

8. A potential vulnerability of the Kerberos authentication server is

A. Single point of failure
B. Asymmetric key compromise
C. Use of dynamic passwords
D. Limited lifetimes for authentication credentials

Answer 8

A

Question 9

9. In mandatory access control the system controls access and the owner determines…

A. Validation
B. Need to know
C. Consensus
D. Verification

Answer 9

B

Question 10

10. Which is the least significant issue when considering biometrics?

A. Resistance to counterfeiting
B. Technology type
C. User acceptance
D. Reliability and accuracy

Answer 10

B

Question 11

11. Which is a fundamental disadvantage of biometrics?

A. Revoking credentials
B. Encryption
C. Communications
D. Placement

Answer 11

A

Question 12

12. Role-based access control

A. Is unique to mandatory access control
B. Is independent of owner input
C. Is based on user job functions
D. Can be compromised by inheritance

Answer 12

C

Question 13

13. Identity management is

A. Another name for access controls
B. A set of technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment
C. A set of technologies and processes focused on the provisioning and decommissioning of user credentials
D. A set of technologies and processes used to establish trust relationships with disparate systems

Answer 13

B

Question 14

14. A disadvantage of single sign-on is

A. Consistent time-out enforcement across platforms
B. A compromised password exposes all authorized resources
C. Use of multiple passwords to remember
D. Password change control

Answer 14

B

Question 15

15. Which of the following is incorrect when considering privilege management?

A. Privileges associated with each system, service, or application, and the defined roles within the organization to which they are needed, should be identified and clearly documented.
B. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role.
C. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated.
D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.

Answer 15

D

Question 16

16. The Identity and Access Provisioning Lifecycle is made up of which phases? (Choose ALL that apply)

A. Review
B. Developing
C. Provisioning
D. Revocation

Answer 16

A|C|D

Question 17

17. When reviewing user entitlement the security professional must be MOST aware of…

A. Identity management and disaster recovery capability
B. Business or organizational processes and access aggregation
C. The organizational tenure of the user requesting entitlement
D. Automated processes which grant users access to resources

Answer 17

B

Question 18

18. A guard dog patrolling the perimeter of a data center is what type of a control?

A. Recovery
B. Administrative
C. Logical
D. Physical

Answer 18

D