Practice CC Access Controls Concepts questions with full explanations on every answer.
Start practicing
Access Controls Concepts — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which principle ensures that users are granted only the minimum permissions necessary to perform their job functions?
2A security administrator is reviewing physical access controls. Which control is considered an external perimeter security measure?
3An organization implements a policy where no single employee can approve a financial transaction over $10,000; a second manager must also approve. This is an example of which access control principle?
4Which of the following is an example of a logical access control?
5According to NIST SP 800-63, which password policy is most recommended?
6A company wants to implement account lockout to prevent brute-force attacks. Which lockout threshold is most appropriate according to common best practices?
7What is the process of claiming an identity called?
8An LDAP distinguished name (DN) is written as 'CN=John Smith,OU=Sales,DC=company,DC=com'. What does 'CN' represent?
9A security analyst notices that a user is accessing files in a department they do not work in. Which principle is being violated?
10An organization uses a Privileged Access Management (PAM) solution. Which of the following is a primary benefit of PAM?
11Which of the following is a recommended practice for administrative accounts?
12A company implements a visitor management policy requiring all visitors to sign in, wear a badge, and be escorted. Which access control principle does this primarily support?
13A security administrator is configuring a session timeout policy. Which of the following are valid reasons for implementing session timeouts? (Choose TWO.)
14An organization is designing a defense-in-depth strategy for physical security. Which of the following are examples of layered physical controls? (Choose THREE.)
15A company is implementing separation of duties for financial transactions. Which of the following are examples of this principle? (Choose TWO.)
16Which principle ensures that a user is granted only the permissions necessary to perform their job functions, thereby reducing the potential impact of a compromised account?
17A security administrator is configuring a system to prevent unauthorized access after a user leaves their workstation unattended. Which access control mechanism should be implemented?
18An organization wants to implement a physical access control that requires two different credentials to enter a high-security server room. Which concept does this best represent?
19A company requires that financial transactions be approved by two different managers before execution. This is an example of which access control principle?
20Which of the following is a recommended practice for password security according to NIST SP 800-63?
21A security analyst notices multiple failed login attempts from a single IP address within a short period. Which control would best mitigate this brute force attack?
22In a directory service such as Active Directory, which component is responsible for storing information about users, groups, and computers in a hierarchical structure?
23Which of the following is an example of a logical access control?
24What is the difference between identification and authentication?
25A system administrator has a regular user account for daily work and a separate account with elevated privileges. Which principle is being applied?
26An LDAP distinguished name is written as: CN=John Smith,OU=Sales,DC=company,DC=com. What do the 'OU' and 'DC' components represent?
27Which type of access control is implemented by a cable lock attached to a laptop?
28A security team is designing a visitor management policy. Which TWO of the following are essential components? (Select TWO.)
29A company wants to implement defense in depth for its data center. Which THREE of the following controls should be included? (Select THREE.)
30Which TWO of the following are recommended practices for managing privileged accounts? (Select TWO.)
31A security administrator is configuring user permissions and ensures that each user has only the minimum rights needed to perform their job. Which access control principle is the administrator applying?
32A bank implements a policy that requires two different employees to approve any wire transfer over $10,000. One employee initiates the transfer, and another approves it. This is an example of which access control principle?
33An organization uses a layered security approach: perimeter fencing, access badge readers at building entrances, biometric scanners in server rooms, and cable locks on laptops. This strategy best exemplifies which access control concept?
34Which of the following is an example of a logical access control?
35According to modern password guidance from NIST SP 800-63, which of the following is the most important factor when setting password requirements?
36An organization configures account lockout after 5 failed login attempts within 15 minutes. This control is designed to mitigate which type of attack?
37An employee is assigned a user account with read-only access to the sales database. However, the employee's job requires viewing only customer contact information, not sales figures. Which access control principle is being violated?
38In the context of identification and authentication, which of the following is an example of authentication?
39Which of the following best describes the purpose of a session timeout?
40A system administrator uses a separate administrative account with elevated privileges only when performing system maintenance, and uses a standard user account for daily activities like email. This practice aligns with which principle?
41An organization uses Active Directory to manage user accounts. Which protocol does Active Directory primarily use to query and modify directory services?
42A visitor signs in at a company's reception, receives a badge, and is escorted throughout the building. This process is part of which type of access control?
43A security analyst is reviewing access control mechanisms. Which TWO of the following are examples of logical access controls? (Select two.)
44An organization is designing a privileged access management (PAM) solution. Which THREE of the following are best practices for managing privileged accounts? (Select three.)
45Which TWO of the following correctly describe components of a directory service distinguished name (DN) in LDAP? (Select two.)
46A security administrator is configuring user permissions and wants to ensure that each user has only the access rights necessary to perform their job. Which principle is being applied?
47An organization requires that financial transactions over $10,000 be approved by two different managers. This is an example of which access control principle?
48A security engineer is designing a physical security plan. Which combination of controls best represents defense in depth for a data center?
49Which of the following is an example of a logical access control?
50According to NIST SP 800-63, which password policy is most effective for user authentication?
51An account lockout policy is implemented to protect against which type of attack?
52In a directory service using LDAP, what is the distinguished name (DN) for a user named John Smith in the Sales organizational unit of the company domain company.com?
53Which process involves verifying the identity of a user who claims to be a specific person?
54A company implements a policy where users must swipe their access card and then enter a PIN to enter the data center. This is an example of:
55An administrator configures a Group Policy Object (GPO) in Active Directory to enforce account lockout after 5 failed attempts within 15 minutes. Which type of control is this?
56What is the primary purpose of a Privileged Access Management (PAM) solution?
57Which access control principle restricts access to data based on the user's job role and tasks?
58A security analyst is reviewing physical security controls. Which TWO are examples of perimeter physical controls? (Select TWO.)
59An organization is implementing a visitor management policy. Which THREE should be included? (Select THREE.)
60According to NIST SP 800-63 recommendations for password policies, which THREE practices are recommended? (Select THREE.)
61Which access control principle ensures that a user is granted only the minimum permissions necessary to perform their job functions?
62A security administrator is implementing controls to prevent a single employee from approving and disbursing payments. Which principle is being applied?
63An organization implements a policy requiring employees to use a separate administrator account for privileged tasks and a different account for daily activities. Which principle does this support?
64Which of the following is an example of a physical access control at the building entrance?
65A company requires all visitors to sign in, wear a visible badge, and be escorted while on premises. This is an example of:
66According to NIST SP 800-63, which password policy is recommended to enhance security?
67An account lockout policy is designed to mitigate which type of attack?
68A session timeout automatically logs out a user after a period of inactivity. This control primarily protects against:
69In the identification and authentication process, which step occurs first?
70An LDAP distinguished name (DN) is formatted as: CN=John Smith,OU=Sales,DC=company,DC=com. Which component represents the organizational unit?
71A Privileged Access Management (PAM) solution is used to:
72An organization wants to ensure that even if an attacker compromises a user's account, the damage is limited. Which principle is most directly applied?
73A security analyst is reviewing physical security controls. Which TWO are considered layered physical security measures for external perimeter protection?
74Which THREE are recommended practices for password policies according to current guidelines?
75An organization wants to implement defense in depth for its server room. Which THREE controls should be included?
76A company implements a policy where no single employee can approve a purchase order over $10,000. Instead, two managers must jointly approve it. Which security principle does this practice exemplify?
77An organization uses fencing, bollards, and lighting around the perimeter, guards at the main entrance, and biometric readers on server room doors. This approach is an example of:
78A security auditor discovers that a user's account has been granted full access to all financial databases, even though the user only needs to view quarterly reports. Which access control principle has been violated most directly?
79A company configures its firewall to block all inbound traffic except for specific necessary services. This approach aligns with which access control principle?
80Which of the following is the primary purpose of a visitor log and escort policy?
81An organization enforces a password policy requiring a minimum of 15 characters with no complexity requirements, and does not force periodic changes. This policy aligns with which current best practice?
82Which of the following is an example of a logical access control?
83In Active Directory, a GPO is used to enforce a policy that automatically locks user sessions after 15 minutes of inactivity. This is an example of which type of access control?
84A user enters a username and password to access a system. Which phase of the access control process does entering the username represent?
85An LDAP distinguished name is formatted as: CN=John Smith,OU=Sales,DC=company,DC=com. What does OU represent?
86Which account type is considered highest risk and should be protected with strict controls, including separate daily use accounts?
87An organisation implements an account lockout policy that locks an account after 5 failed login attempts within 15 minutes. This control is designed to prevent:
88A security architect is designing controls to protect a data center. Which TWO of the following are examples of physical access controls? (Select TWO.)
89Which THREE of the following are best practices for privileged account management? (Select THREE.)
90Which TWO of the following are components of the identification and authentication process? (Select TWO.)
91A security administrator is configuring access rights for a new employee. Which principle ensures the employee is granted only the minimum permissions necessary to perform their job duties?
92An organization requires that a financial transaction must be initiated by one employee and approved by a manager before processing. Which access control principle does this enforce?
93A system administrator has an account with full administrative privileges. To reduce risk, the organization implements a policy requiring the admin to use a separate, non-privileged account for daily tasks like email and web browsing. This practice aligns with which principle?
94A company's physical security includes fencing, security guards, access badges, and biometric locks on server room doors. This layered approach is an example of which access control concept?
95In a directory service like Active Directory, which component is used to organize users, groups, and computers into a hierarchical structure for applying policies?
96An organization's password policy requires passwords to be at least 8 characters long and prohibits common passwords found in breach databases. This policy aligns with which guideline?
97A security analyst notices repeated failed login attempts from a single IP address. The account is locked after 10 failed attempts. This is an example of which type of control?
98An employee uses their username to claim an identity and then enters a password to prove it. What is the term for the process of proving the claimed identity?
99A visitor enters a company building and is required to sign in, present identification, and wear a visitor badge. This is an example of which type of access control?
100In an LDAP directory, an entry is represented as 'CN=John Smith,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?
101A security administrator is implementing controls to protect a server room. Which TWO physical security layers should be included as part of a defense-in-depth strategy? (Select TWO.)
102Which TWO are examples of logical access controls? (Select TWO.)
103Which THREE are key components of Active Directory? (Select THREE.)
104A security architect is designing an access control policy based on the principle of need-to-know. Which TWO practices support this principle? (Select TWO.)
105Which THREE are best practices for password management according to modern guidelines? (Select THREE.)
106A security auditor is reviewing access controls at a financial institution. The auditor identifies a scenario where one employee can initiate a payment transaction, and the same employee can also approve it. Which access control principle is being violated, and what is the primary risk?
107A company's security policy requires that employees use only the minimum permissions needed to perform their job functions. This practice reduces the potential impact if an account is compromised. Which TWO access control principles are being applied?
108An organization wants to implement layered physical security for its data center. Which THREE of the following controls would be considered part of a defense-in-depth physical security strategy?
109A system administrator is configuring account lockout policies to mitigate brute-force attacks. Which TWO settings are most critical for this purpose?
110An employee claims to have accessed a confidential document that is not related to their job role. The security team investigates and finds that the employee's account had read access to the folder containing the document. Which TWO access control concepts were likely violated?
The Access Controls Concepts domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 110 questions in the Access Controls Concepts domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Access Controls Concepts domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included