Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Access Controls Concepts practice sets

ISC2 CC Access Controls Concepts • Complete Question Bank

ISC2 CC Access Controls Concepts — All Questions With Answers

Complete ISC2 CC Access Controls Concepts question bank — all 0 questions with answers and detailed explanations.

58
Questions
Free
No signup
Certifications/ISC2 CC/Practice Test/Access Controls Concepts/All Questions
Question 1mediummultiple choice
Read the full Access Controls Concepts explanation →

An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?

Question 2hardmultiple choice
Read the full Access Controls Concepts explanation →

A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?

Question 3easymultiple choice
Read the full Access Controls Concepts explanation →

Which access control model uses subject and object labels to enforce access based on a security policy?

Question 4mediummultiple choice
Read the full Access Controls Concepts explanation →

A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?

Question 5hardmultiple choice
Read the full Access Controls Concepts explanation →

An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?

Question 6mediummulti select
Read the full Access Controls Concepts explanation →

Which TWO are characteristics of Role-Based Access Control (RBAC)?

Question 7hardmulti select
Read the full Access Controls Concepts explanation →

Which THREE are valid methods for authenticating a user in an access control system?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

You are the security administrator for a mid-sized e-commerce company. The company uses a Linux-based web server running Apache, with a MySQL database backend. User authentication is handled via LDAP. Recently, the security team discovered that a former employee's account was used to access the customer database two weeks after the employee was terminated. The account had not been disabled. The database contains personally identifiable information (PII). The incident was traced to an internal IP address from the marketing department. The marketing department's network segment is not segregated from the database server. Additionally, the database server's firewall rules allow any internal IP to connect to the MySQL port (3306). The company has a written policy that accounts must be disabled within 24 hours of termination, but the HR department did not notify IT in a timely manner. Which combination of controls would BEST prevent a recurrence of this incident?

Question 9mediummultiple choice
Read the full Access Controls Concepts explanation →

A company is implementing an access control system to protect sensitive data. Employees in the finance department must access financial records, but only during business hours and from company-issued devices. Which access control model best supports these requirements?

Question 10hardmulti select
Study the full AAA explanation →

A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)

Question 11hardmultiple choice
Read the full Access Controls Concepts explanation →

Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.
```
Policy Name: FinanceApp Access
Subject: user role
Resource: /finance/data
Action: read, write
Condition: time between 09:00 and 17:00 AND device.os == "Windows"
Effect: Permit
```
Question 12mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediumdrag order
Read the full Access Controls Concepts explanation →

Drag and drop the steps to implement a firewall rule allowing inbound HTTPS traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full Access Controls Concepts explanation →

Match each security control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discourages potential attackers

Blocks unauthorized access

Identifies and logs incidents

Restores after an incident

Alternative control when primary is not feasible

Question 15mediummatching
Read the full Access Controls Concepts explanation →

Match each authentication factor to an example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Password

Smart card

Fingerprint

GPS location

Question 16easymultiple choice
Read the full Access Controls Concepts explanation →

A system administrator needs to grant a user the ability to read files in a specific folder but not modify them. Which access control principle should be applied?

Question 17mediummultiple choice
Read the full Access Controls Concepts explanation →

A financial company requires that any transaction over $10,000 must be approved by two different managers before being processed. This is an example of which access control principle?

Question 18hardmultiple choice
Read the full Access Controls Concepts explanation →

During a security audit, it is discovered that a contractor has access to customer databases that were not required for their project. Which step should be taken first to mitigate the risk?

Question 19easymultiple choice
Read the full Access Controls Concepts explanation →

An organization implements an access control system where users are assigned to groups, and permissions are granted to groups rather than individuals. This is known as:

Question 20mediummultiple choice
Read the full Access Controls Concepts explanation →

A user reports that they are unable to access a shared network drive that they previously could access. The administrator checks permissions and finds the user's account is still a member of the correct group. What should the administrator check next?

Question 21hardmultiple choice
Read the full Access Controls Concepts explanation →

In a defense-in-depth strategy, which access control mechanism provides the most granular control over user permissions?

Question 22easymultiple choice
Read the full Access Controls Concepts explanation →

Which access control model allows the owner of a resource to decide who can access it?

Question 23mediummultiple choice
Read the full Access Controls Concepts explanation →

A system administrator notices that a user has been granted read and write permissions to a folder but should only have read access. Which type of access control issue does this represent?

Question 24hardmultiple choice
Read the full Access Controls Concepts explanation →

When implementing a role-based access control (RBAC) system, what is the primary challenge organizations face?

Question 25mediummulti select
Read the full Access Controls Concepts explanation →

An organization is implementing a new access control system based on the principle of least privilege. Which two of the following practices are essential to achieving least privilege? (Select TWO)

Question 26hardmulti select
Read the full Access Controls Concepts explanation →

A security analyst is troubleshooting an access control issue where a user cannot access a file even though they seem to have the correct permissions. Which three of the following should the analyst investigate? (Select THREE)

Question 27easymulti select
Read the full Access Controls Concepts explanation →

Which two of the following are examples of physical access controls? (Select TWO)

Question 28mediummultiple choice
Read the full Access Controls Concepts explanation →

Refer to the exhibit. The file is readable and writable by everyone. A user from the marketing team, user2, needs to be able to read the file but not write to it. Which command should the administrator use to achieve this?

Exhibit

-rw-rw-rw- 1 user1 devteam 1024 Mar 10 10:00 project_data.txt
Question 29hardmultiple choice
Read the full Access Controls Concepts explanation →

Refer to the exhibit. A user from the Auditors group is unable to access the folder. What is the most likely cause?

Exhibit

icacls C:\Projects\Financial
C:\Projects\Financial CONTOSO\Accounting:(R,W)
                      CONTOSO\Auditors:(R)
                      CONTOSO\Management:(F)
                      CONTOSO\Auditors:(DENY)(R)
Question 30easymultiple choice
Read the full Access Controls Concepts explanation →

Refer to the exhibit. A user with this policy tries to list objects in bucket1 but gets an access denied error. What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket1/*"
    }
  ]
}
Question 31mediummultiple choice
Read the full Access Controls Concepts explanation →

A company needs to enforce access based on attributes such as time of day and location. Which access control model is most appropriate?

Question 32easymultiple choice
Read the full Access Controls Concepts explanation →

An organization wants to ensure that no single employee can both request and approve a payment. Which access control principle does this enforce?

Question 33hardmultiple choice
Read the full Access Controls Concepts explanation →

In a MAC environment implementing Bell-LaPadula, a subject with Secret clearance attempts to read an object classified as Confidential and write to an object classified as Top Secret. Which operations are permitted?

Question 34easymultiple choice
Read the full Access Controls Concepts explanation →

Which authentication factor does a smart card represent?

Question 35mediummultiple choice
Read the full Access Controls Concepts explanation →

After a reorganization, a company using RBAC finds that many users have accumulated permissions that no longer align with their job functions. What is the best practice to address this?

Question 36hardmultiple choice
Read the full Access Controls Concepts explanation →

In a Bell-LaPadula MAC model, which of the following operations is prohibited?

Question 37easymultiple choice
Read the full Access Controls Concepts explanation →

What is the primary purpose of identification in the context of access control?

Question 38mediummultiple choice
Study the full AAA explanation →

Which component of the AAA framework determines what resources an authenticated user can access?

Question 39hardmultiple choice
Read the full Access Controls Concepts explanation →

In a typical Windows environment, which access control model is used for managing file permissions?

Question 40mediummultiple choice
Study the full ACL explanation →

Based on the exhibit, which statement about the access control list is true?

Exhibit

Refer to the exhibit.

```
show access-list 101
Standard IP access list 101
    10 permit tcp any any eq 80
    20 deny icmp any any
    30 permit ip any any
```
Question 41hardmultiple choice
Read the full Access Controls Concepts explanation →

An IAM policy is shown in the exhibit. Which action is permitted for the attached user?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket1/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucket2/*"
    }
  ]
}
```
Question 42easymultiple choice
Read the full Access Controls Concepts explanation →

The exhibit shows recent authentication logs. What type of attack is most likely indicated?

Exhibit

Refer to the exhibit.

```
Mar 15 08:45:23 server sshd[1234]: Failed password for admin from 192.168.1.100 port 22
Mar 15 08:45:26 server sshd[1234]: Failed password for admin from 192.168.1.100 port 22
Mar 15 08:45:29 server sshd[1234]: Failed password for admin from 192.168.1.100 port 22
Mar 15 08:45:32 server sshd[1234]: Accepted password for admin from 192.168.1.100 port 22
```
Question 43easymulti select
Read the full Access Controls Concepts explanation →

Which TWO of the following are examples of physical access controls?

Question 44mediummulti select
Read the full Access Controls Concepts explanation →

Which TWO scenarios best illustrate the principle of least privilege?

Question 45hardmulti select
Study the full AAA explanation →

Which THREE components are part of the AAA framework?

Question 46easymultiple choice
Read the full Access Controls Concepts explanation →

A help desk technician needs to reset a user's password, but the security policy requires that the technician does not know the new password. Which access control concept prevents the technician from knowing the password?

Question 47easymultiple choice
Read the full Access Controls Concepts explanation →

An organization implements a policy where users must swipe their ID card and enter a PIN to access a secure room. This is an example of which access control principle?

Question 48mediummultiple choice
Read the full Access Controls Concepts explanation →

After a security audit, a company discovers that several employees have access to financial systems that are not required for their job roles. Which access control model would best prevent this issue in the future?

Question 49mediummultiple choice
Read the full NAT/PAT explanation →

A system administrator needs to grant a contractor temporary access to a server for patching. The contractor should only have access during the patching window. Which access control implementation method is most appropriate?

Question 50hardmultiple choice
Read the full Access Controls Concepts explanation →

A company uses a mandatory access control (MAC) system where all files are labeled 'Confidential', 'Secret', or 'Top Secret'. A user with 'Secret' clearance tries to read a 'Top Secret' file. What is the outcome?

Question 51hardmultiple choice
Read the full Access Controls Concepts explanation →

An organization wants to implement a system that enforces access decisions based on a user's attributes (e.g., department, clearance, time) and environmental conditions. Which model is best?

Question 52easymulti select
Read the full Access Controls Concepts explanation →

Which TWO are examples of technical access controls?

Question 53mediummulti select
Read the full Access Controls Concepts explanation →

Which TWO are principles of access control?

Question 54hardmulti select
Read the full Access Controls Concepts explanation →

Which THREE are examples of administrative access controls?

Question 55hardmultiple choice
Read the full Access Controls Concepts explanation →

A financial firm has a data center with strict access controls. Employees must use smart cards and PINs to enter a mantrapped entrance. Recently, an unauthorized person gained access by following an employee through the mantrapped door (tailgating). The security team reviews logs and finds that the door was opened twice in quick succession, indicating tailgating occurred. The firm wants to implement a solution that prevents tailgating without slowing down authorized access. Which action should they take?

Question 56mediummultiple choice
Read the full NAT/PAT explanation →

A hospital uses role-based access control (RBAC) for its electronic health records. Nurses can view patient records; doctors can view and edit; administrators can only view administrative data. Recently, a nurse was able to edit a patient's record, which should only be allowed for doctors. The investigation finds that the nurse's role was incorrectly assigned a 'doctor' role due to a misconfiguration. To prevent recurrence, the access control system should be reviewed. Which is the best long-term solution?

Question 57easymultiple choice
Read the full Access Controls Concepts explanation →

A small business uses a cloud file storage service that allows sharing links. An employee mistakenly shared a folder containing customer data via a public link. The business wants to prevent such incidents in the future without blocking legitimate sharing. Which access control method should they implement?

Question 58mediummultiple choice
Read the full Access Controls Concepts explanation →

A government agency uses a multi-level security system with mandatory access control (MAC). A user with Secret clearance attempts to write data to a file classified as Confidential. Under the Bell-LaPadula model, which rule applies and what is the outcome?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ISC2 CC Practice Test 1 — 10 Questions→ISC2 CC Practice Test 2 — 10 Questions→ISC2 CC Practice Test 3 — 10 Questions→ISC2 CC Practice Test 4 — 10 Questions→ISC2 CC Practice Test 5 — 10 Questions→ISC2 CC Practice Exam 1 — 20 Questions→ISC2 CC Practice Exam 2 — 20 Questions→ISC2 CC Practice Exam 3 — 20 Questions→ISC2 CC Practice Exam 4 — 20 Questions→Free ISC2 CC Practice Test 1 — 30 Questions→Free ISC2 CC Practice Test 2 — 30 Questions→Free ISC2 CC Practice Test 3 — 30 Questions→ISC2 CC Practice Questions 1 — 50 Questions→ISC2 CC Practice Questions 2 — 50 Questions→ISC2 CC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Access Controls ConceptsBusiness Continuity, DR & Incident ResponseSecurity PrinciplesNetwork SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Access Controls Concepts setsAll Access Controls Concepts questionsISC2 CC Practice Hub