A security administrator is implementing an access control model that assigns permissions based on the clearance of the subject and the classification of the object. Which model is being implemented?
A company is implementing a Single Sign-On (SSO) solution that uses XML-based assertions to exchange authentication and authorization data between an identity provider and a service provider. Which protocol is being used?
An organization wants to ensure that privileged accounts are used only when needed and that all activities are recorded. Which Privileged Access Management (PAM) control should be implemented?
A security analyst is evaluating a biometric system. The system currently has a high number of false rejections. Which metric is most directly related to this issue?
A user claims to be 'jsmith' and provides a password. What is the term for the step where the system verifies that the password matches the one on file for 'jsmith'?
An organization uses Kerberos for single sign-on. When a user logs in, they receive a Ticket Granting Ticket (TGT). What is the primary purpose of the TGT?
A security administrator needs to implement an access control model that grants access based on attributes of the user, resource, and environment, using policy rules. Which model is most appropriate?
In a federated identity scenario, a user authenticates to their home domain and accesses a resource in a partner domain. The partner domain trusts the authentication performed by the home domain. What is the home domain's role in this trust relationship?
A security engineer is designing a system that must ensure data integrity at all costs, even if it means sacrificing availability. Which access control model and corresponding principle should be applied?
An organization is implementing a password policy that requires passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 90 days. Additionally, users cannot reuse any of the last 10 passwords. Which password policy element does the last requirement address?
A company is implementing an access control system for a high-security environment. Which TWO of the following are characteristics of Mandatory Access Control (MAC)?
A security auditor is reviewing the account lifecycle process. Which TWO of the following are mandatory steps during the deprovisioning (offboarding) process?
A security administrator is implementing an access control system that uses sensitivity labels on subjects and objects. The policy dictates that a subject can only read objects with a label equal to or lower than the subject's clearance, and can only write to objects with a label equal to or higher than the subject's clearance. Which access control model and principle is being enforced?
An organization uses Kerberos for SSO. A user reports that after entering their password, they receive a 'ticket expired' error when trying to access a network share. The system administrator checks the Kerberos configuration. Which ticket is most likely expired?
An organization is implementing a federated identity system to allow employees to access a partner's cloud application using their corporate credentials. The solution must support single sign-on and use XML-based assertions. Which technology should be used?
A company is implementing a biometric authentication system for physical access to a data center. The system must minimize false acceptances. Which metric is most directly related to false acceptance rate (FAR)?
A security analyst is reviewing access controls for a database server. The database administrator has granted all users in the 'sales' role SELECT, INSERT, UPDATE, and DELETE permissions on the 'orders' table. Which access control principle is being violated?
An organization uses an ABAC system to control access to documents. Policies are defined using attributes such as user department, document classification, and time of day. Which of the following is an example of an ABAC policy rule?
A company implements a password policy requiring a minimum length of 12 characters, including uppercase, lowercase, digits, and special characters. Passwords must be changed every 90 days, and the last 10 passwords cannot be reused. After a brute-force attack, several accounts were compromised despite the policy. Which additional control would most effectively mitigate such attacks?
A security architect is designing an access control system for a healthcare application. The system must ensure that a nurse can view patient records but cannot modify them, and that a doctor can both view and update records. Additionally, the system must prevent a single user from both ordering a medication and approving its administration. Which TWO access control principles are being applied? (Select TWO.)
A company is migrating to a cloud-based SaaS application and wants to implement federated identity. Users will authenticate using their existing corporate Active Directory credentials. Which THREE components are essential for a SAML-based federation? (Select THREE.)
A security administrator is configuring password policies to meet compliance. Which combination of settings provides the strongest protection against brute-force attacks?
In a Bell-LaPadula model implementation, a user with a Secret clearance attempts to read a document classified as Top Secret. Additionally, they try to write to a document classified as Unclassified. What are the results of these actions?
An organization implements RBAC to enforce separation of duties. Which of the following is a key benefit of using role-based access control in this context?
During a security audit, it is discovered that a service account has been used to log in interactively to a server. The account was originally provisioned only for running a background service. Which PAM (Privileged Access Management) control would best prevent such misuse in the future?
In a federated identity environment using SAML, what is the role of the Identity Provider (IdP) when a user requests access to a service provider (SP)?
An organization uses OAuth 2.0 for delegated access to a cloud storage API. A third-party application requests an access token to read user files. What is the primary purpose of the access token in OAuth?
During a user offboarding process, the security team must ensure that the former employee's access is revoked immediately. However, the user's manager requests that the account remain active for a week to review files. What is the BEST practice?
An organization wants to implement separation of duties to reduce the risk of fraud. Which THREE of the following are common techniques used to enforce separation of duties?
A security architect is designing an access control system for a healthcare application that requires fine-grained access decisions based on user role, location, time of day, and patient consent. Which TWO access control models are best suited for this requirement?
An organization implements a policy requiring passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 60 days. Which password policy elements are being enforced?
An organization uses Kerberos for single sign-on (SSO) within its Windows domain. Which component issues ticket-granting tickets (TGTs) after verifying user credentials?
A security administrator is configuring a system to enforce separation of duties. In which access control model is this principle most directly implemented?
An organization uses smart cards with PKI certificates for authentication. Users must insert the card and enter a PIN. This is an example of which authentication method?
An organization has implemented a PAM solution for managing privileged accounts. Which feature allows administrators to request temporary elevated access for a specific task?
A security analyst notices that a service account has been granted domain administrator privileges. Which principle of access control is being violated?
A company wants to implement multi-factor authentication (MFA) for remote access. Which TWO of the following are examples of different authentication factors? (Choose TWO.)
An organization is designing an access control policy for a new system. Which THREE of the following are fundamental principles that should be incorporated? (Choose THREE.)
An organization wants to implement multi-factor authentication (MFA) for remote access. Which combination represents something you have and something you are?
An organization implements a Privileged Access Management (PAM) solution. Which capability best describes granting temporary administrative rights just when needed?
A security analyst notices that a user's account was used to access sensitive files after the user had left the company. Which access control principle was most likely violated?
An organization uses ABAC to control access to a document. Which attribute combination would be used to allow access only during business hours from a managed device?
A security administrator is configuring a new system and wants to enforce a mandatory access control model to ensure confidentiality of classified data. Which access control model should the administrator implement?
A security analyst is investigating an account compromise. The organization uses Kerberos for single sign-on. Which TWO of the following would help in tracking the source of the compromise?
A security engineer is designing a federated identity solution for cross-domain authentication. Which THREE of the following technologies are commonly used?