CCNA Access Controls Questions

58 questions · Access Controls topic · All types, answers revealed

1
Multi-Selectmedium

An organization is implementing a new access control system based on the principle of least privilege. Which two of the following practices are essential to achieving least privilege? (Select TWO)

Select 2 answers
A.Review permissions regularly
B.Use role-based access control
C.Grant users default full access and restrict later
D.Enable accounts after use
E.Provide write access to all users
AnswersA, B

Regular reviews help maintain minimal permissions by revoking unnecessary access.

Why this answer

Option A is correct because regular permission reviews are essential to maintaining least privilege over time. Users' roles and responsibilities change, and without periodic audits, excessive permissions can accumulate, violating the principle. This aligns with the NIST SP 800-53 AC-6 control for least privilege, which requires organizations to review user access rights at defined intervals.

Exam trap

ISC2 often tests that candidates confuse the principle of least privilege with account management practices like enabling/disabling accounts, or mistakenly think starting with full access and restricting later is acceptable, when in fact least privilege requires a default-deny posture.

2
MCQeasy

The exhibit shows recent authentication logs. What type of attack is most likely indicated?

A.Man-in-the-middle attack
B.Brute-force attack
C.Phishing attack
D.Privilege escalation
AnswerB

Rapid failed logins then success suggests password guessing.

Why this answer

The exhibit shows repeated authentication attempts with different passwords for the same username, which is the hallmark of a brute-force attack. In authentication logs, a high frequency of failed login attempts (e.g., multiple 'Failed password' entries in quick succession) indicates an attacker systematically guessing credentials. This aligns with the CC domain of Access Controls, where brute-force attacks target weak password policies.

Exam trap

ISC2 often tests the distinction between brute-force and dictionary attacks; the trap here is that candidates may confuse repeated login attempts with a phishing attack, but phishing requires user interaction (e.g., clicking a link), whereas brute-force is automated against the authentication service.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack would show evidence of intercepted or modified traffic (e.g., ARP spoofing, SSL stripping), not repeated login failures. Option C is wrong because a phishing attack relies on tricking users into revealing credentials via deceptive emails or websites, not on direct login attempts against the authentication server. Option D is wrong because privilege escalation involves gaining higher-level access after initial compromise (e.g., exploiting SUID binaries or misconfigured sudo), not repeated password guessing.

3
Multi-Selecthard

Which THREE are examples of administrative access controls?

Select 3 answers
A.Mantraps
B.Password complexity requirements
C.Guard patrols
D.Security policies
E.Background checks
AnswersB, D, E

These are procedural rules, hence administrative.

Why this answer

Password complexity requirements are administrative access controls because they are defined in security policies and enforced through user behavior and organizational rules, not through hardware or software mechanisms. They fall under the administrative category of access control, which includes policies, procedures, and guidelines that govern user actions and access rights.

Exam trap

ISC2 often tests the distinction between administrative, technical, and physical access controls, and the trap here is that candidates may confuse password complexity requirements (administrative) with technical controls like password filters or account lockout mechanisms.

4
MCQhard

A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?

A.Job rotation
B.Need-to-know
C.Separation of duties
D.Least privilege
AnswerD

Least privilege requires minimal permissions; write access is excessive.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. Granting write access when only read access is required violates this principle by providing unnecessary and potentially harmful capabilities. This is a core access control concept in the CC exam.

Exam trap

ISC2 often tests least privilege by contrasting it with need-to-know, where candidates mistakenly choose need-to-know because both involve limiting access, but least privilege focuses on the permission level (read vs. write) while need-to-know focuses on the data scope.

How to eliminate wrong answers

Option A is wrong because job rotation is a security practice where users periodically switch roles to reduce fraud risk, not a principle about limiting permissions. Option B is wrong because need-to-know restricts access to specific data based on necessity, but the violation here is about the level of privilege (read vs. write), not the data itself. Option C is wrong because separation of duties ensures no single user has conflicting responsibilities (e.g., creating and approving transactions), which is not the issue in this scenario.

5
MCQhard

In a typical Windows environment, which access control model is used for managing file permissions?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerA

File owners can grant or deny permissions to others.

Why this answer

In a typical Windows environment, file permissions are managed using Discretionary Access Control (DAC), where the owner of a resource (e.g., a file or folder) can grant or deny access to other users or groups. This is implemented via NTFS permissions, which allow the owner to set ACLs (Access Control Lists) on objects, giving them discretion over who can read, write, or execute. Windows does not enforce a system-wide policy beyond the owner's decisions, which is the hallmark of DAC.

Exam trap

ISC2 often tests the misconception that Windows uses RBAC because of Active Directory groups, but AD groups are merely a convenience for assigning DAC permissions, not a role-based system; the key distinction is that DAC gives discretion to the resource owner, while RBAC assigns permissions based on organizational roles defined by an administrator.

How to eliminate wrong answers

Option B (RBAC) is wrong because Windows does not natively use Role-Based Access Control for file permissions; RBAC is typically implemented in enterprise applications or databases (e.g., SQL Server) and assigns permissions based on job functions, not owner discretion. Option C (MAC) is wrong because Mandatory Access Control is not used in standard Windows; it is a feature of high-security systems like SELinux or Trusted Solaris, where a central authority (e.g., a security label) overrides owner decisions. Option D (ABAC) is wrong because Attribute-Based Access Control is not the default model for Windows file permissions; ABAC evaluates policies based on attributes (e.g., time, location) and is more common in modern cloud or network access control systems (e.g., AWS IAM), not in the NTFS permission system.

6
Multi-Selecteasy

Which two of the following are examples of physical access controls? (Select TWO)

Select 2 answers
A.Security guards
B.Encryption
C.Password policies
D.Firewall rules
E.Biometric door locks
AnswersA, E

Security guards monitor and control physical access to premises.

Why this answer

Security guards are a physical access control because they provide a human barrier to unauthorized entry, monitoring and challenging individuals who attempt to access restricted areas. They enforce physical security policies through observation, verification, and intervention, making them a classic example of a deterrent and preventive physical control.

Exam trap

ISC2 often tests the distinction between physical, administrative, and logical/technical controls, and the trap here is that candidates confuse encryption or firewall rules as 'physical' because they are tangible in implementation, but they are actually logical controls that protect data, not physical assets or premises.

7
MCQmedium

Based on the exhibit, which statement about the access control list is true?

A.All IP traffic is permitted except ICMP
B.HTTP traffic is denied
C.Only HTTP traffic is permitted
D.ICMP echo requests are permitted
AnswerA

Line 10 permits HTTP, line 20 denies ICMP, line 30 permits all other IP.

Why this answer

The exhibit shows an access control list (ACL) that explicitly denies ICMP traffic with the entry 'deny icmp any any' and then permits all other IP traffic with 'permit ip any any'. Since ACLs are processed sequentially and the 'permit ip any any' matches all IP protocols (including HTTP, HTTPS, etc.) except those already denied, the result is that all IP traffic is permitted except ICMP. This makes option A correct.

Exam trap

ISC2 often tests the sequential nature of ACLs and the fact that 'permit ip any any' permits all IP protocols except those explicitly denied earlier, leading candidates to mistakenly think ICMP is permitted or that only HTTP is allowed.

How to eliminate wrong answers

Option B is wrong because HTTP traffic (TCP port 80) is a subset of IP traffic and is explicitly permitted by the 'permit ip any any' entry; there is no deny statement for HTTP. Option C is wrong because the ACL permits all IP traffic (except ICMP), not just HTTP; HTTP is only one of many permitted protocols. Option D is wrong because ICMP echo requests are a type of ICMP traffic, and the ACL contains a 'deny icmp any any' statement that blocks all ICMP, including echo requests.

8
MCQeasy

A system administrator needs to grant a user the ability to read files in a specific folder but not modify them. Which access control principle should be applied?

A.Role-Based Access Control (RBAC)
B.Least Privilege
C.Separation of Duties (SoD)
D.Mandatory Access Control (MAC)
AnswerB

Least privilege grants only the permissions necessary for the job, such as read-only access.

Why this answer

The principle of Least Privilege dictates that a user should be granted only the minimum permissions necessary to perform their job functions. In this scenario, granting read-only access to a specific folder (e.g., using NTFS 'Read' permission or Linux 'r--' on the directory) ensures the user cannot modify files, directly applying Least Privilege. This prevents accidental or intentional data alteration while still allowing necessary access.

Exam trap

ISC2 often tests the distinction between an access control *model* (like RBAC or MAC) and a security *principle* (like Least Privilege), causing candidates to confuse the mechanism with the overarching goal of minimizing permissions.

How to eliminate wrong answers

Option A is wrong because RBAC is an access control model that assigns permissions based on roles, not a principle that specifically limits permissions to the minimum required; it could still grant excessive permissions if the role is poorly defined. Option C is wrong because Separation of Duties (SoD) is a principle that prevents a single individual from having conflicting responsibilities (e.g., both authorizing and executing a transaction), not a method for limiting file permissions to read-only. Option D is wrong because Mandatory Access Control (MAC) enforces system-wide policies (e.g., using SELinux labels or Windows Integrity Levels) that users cannot override, but it is a model, not the specific principle of granting only the minimum necessary access for a given task.

9
MCQmedium

A company is implementing an access control system to protect sensitive data. Employees in the finance department must access financial records, but only during business hours and from company-issued devices. Which access control model best supports these requirements?

A.Attribute-Based Access Control (ABAC)
B.Rule-Based Access Control (RuBAC)
C.Discretionary Access Control (DAC)
D.Mandatory Access Control (MAC)
AnswerB

RuBAC enforces access based on rules including time and device.

Why this answer

Rule-Based Access Control (RuBAC) is the correct choice because it enforces access decisions based on a set of predefined rules, such as time-of-day restrictions and device compliance. In this scenario, the rules 'business hours only' and 'company-issued devices only' are static conditions that can be implemented as access control rules (e.g., using a firewall ACL or a policy engine) without requiring user attributes or labels. RuBAC is ideal when access is governed by operational policies that are not tied to user identity or data classification.

Exam trap

ISC2 often tests the distinction between RuBAC and ABAC by presenting a scenario with multiple conditions (time, device, location) that seems to require ABAC, but the trap is that if the conditions are static and predefined (not evaluated dynamically from user/object attributes), RuBAC is the simpler and correct model.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) evaluates access based on multiple dynamic attributes (e.g., user role, time, device type, location) using a policy engine, which is more complex than needed for simple static rules; while it could technically enforce these requirements, the question asks for the model that 'best supports' them, and RuBAC is simpler and more direct. Option C is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, which cannot enforce mandatory time-of-day or device restrictions. Option D is wrong because Mandatory Access Control (MAC) enforces access based on system-wide labels (e.g., security clearance and classification), not on time or device attributes, and is typically used in high-security environments like military systems.

10
MCQeasy

Which access control model allows the owner of a resource to decide who can access it?

A.Mandatory Access Control (MAC)
B.Role-Based Access Control (RBAC)
C.Attribute-Based Access Control (ABAC)
D.Discretionary Access Control (DAC)
AnswerD

DAC allows resource owners to set permissions at their discretion.

Why this answer

Discretionary Access Control (DAC) allows the owner of a resource to determine who can access it and with what permissions. In DAC, the resource creator or authorized owner can grant or revoke access rights to other subjects, typically through access control lists (ACLs) or file permissions. This model is commonly implemented in operating systems like Windows NTFS and Linux file systems, where the owner sets read, write, or execute permissions.

Exam trap

ISC2 often tests the distinction between DAC and MAC by presenting a scenario where a user can change permissions on their own files, and candidates mistakenly choose MAC because they confuse 'mandatory' with 'owner-controlled' or think MAC allows user discretion.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) enforces access decisions based on system-wide security labels (e.g., classifications like Top Secret) and does not allow resource owners to change permissions; only administrators or the system can. Option B is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'Manager' or 'Auditor'), not at the discretion of the resource owner. Option C is wrong because Attribute-Based Access Control (ABAC) uses policies that evaluate attributes of the user, resource, and environment (e.g., time of day, location) to grant access, and the resource owner does not have direct control over individual access decisions.

11
Matchingmedium

Match each security control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discourages potential attackers

Blocks unauthorized access

Identifies and logs incidents

Restores after an incident

Alternative control when primary is not feasible

Why these pairings

These are common categories of security controls per NIST and ISC2.

12
Multi-Selecteasy

Which TWO are examples of technical access controls?

Select 2 answers
A.Security awareness training
B.Security policies
C.Encryption
D.ID badges
E.Access control lists
AnswersC, E

Encryption is a technical control that protects data confidentiality.

Why this answer

Encryption (C) is a technical access control because it uses cryptographic algorithms (e.g., AES-256, RSA) to transform data into an unreadable format, ensuring that only authorized entities with the correct decryption key can access the original information. This enforces confidentiality and access restrictions at the data level, independent of user behavior or administrative policies.

Exam trap

ISC2 often tests the distinction between administrative, physical, and technical controls, and the trap here is that candidates confuse 'security awareness training' or 'security policies' as technical controls because they are part of a security program, but they are not implemented through technology or code.

13
MCQmedium

A company needs to enforce access based on attributes such as time of day and location. Which access control model is most appropriate?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerA

ABAC evaluates policies based on subject and object attributes.

Why this answer

Attribute-Based Access Control (ABAC) is the correct choice because it evaluates policies based on multiple attributes (e.g., time of day, location, user role, device type) at runtime. This allows fine-grained, context-aware access decisions, such as permitting access only during business hours from a corporate office. ABAC uses a policy engine to evaluate attribute-based rules, making it ideal for dynamic environments where access depends on environmental conditions.

Exam trap

ISC2 often tests the distinction between RBAC and ABAC by presenting a scenario with dynamic attributes (like time/location) — candidates mistakenly choose RBAC because they associate roles with access control, but RBAC cannot evaluate contextual attributes without additional mechanisms.

How to eliminate wrong answers

Option B (MAC) is wrong because it enforces access based on fixed security labels (e.g., classification levels like Top Secret) assigned by a central authority, not on dynamic attributes like time or location. Option C (DAC) is wrong because it allows resource owners to set permissions at their discretion, which lacks the centralized, attribute-driven policy enforcement needed for time- and location-based controls. Option D (RBAC) is wrong because it grants access based solely on predefined roles (e.g., manager, employee), not on contextual attributes such as time of day or geographic location.

14
MCQhard

An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?

A.Use a group managed service account with a 30-day password expiration.
B.Create a security group with a time-based membership that expires automatically after 30 days.
C.Assign each intern directly to the folder permissions and set a calendar reminder to revoke.
D.Create a security group, add interns, and manually remove them after 30 days.
AnswerB

Time-based group membership automates access lifecycle, aligning with least privilege.

Why this answer

Option B is correct because Active Directory supports time-based group membership via the `memberTimeToLive` attribute (introduced in Windows Server 2016 and later), which allows a security group to be configured so that members are automatically removed after a specified duration. This eliminates manual intervention and ensures the interns lose access exactly after 30 days without requiring password changes or calendar reminders.

Exam trap

ISC2 often tests the misconception that manual processes (like calendar reminders or manual removal) are acceptable for temporary access, when in fact Active Directory provides an automated, policy-driven mechanism (time-based group membership) that is both more efficient and more secure.

How to eliminate wrong answers

Option A is wrong because a Group Managed Service Account (gMSA) is designed for automated service identity management, not for granting user access to shared folders; password expiration on a gMSA does not control user permissions and is unrelated to folder access. Option C is wrong because assigning each intern directly to folder permissions violates the principle of least administrative effort and scalability; it also relies on a fallible calendar reminder rather than an automated, policy-driven mechanism. Option D is wrong because manually removing members after 30 days is inefficient, error-prone, and does not leverage Active Directory's built-in time-based membership feature, which is specifically designed to automate this exact scenario.

15
MCQmedium

A financial company requires that any transaction over $10,000 must be approved by two different managers before being processed. This is an example of which access control principle?

A.Least Privilege
B.Need-to-Know
C.Dual Control
D.Separation of Duties
AnswerD

SoD ensures that no single individual has complete control over a sensitive process by requiring multiple approvals.

Why this answer

The requirement for two different managers to approve a transaction over $10,000 enforces Separation of Duties (SoD). This access control principle ensures that no single individual has the authority to execute a high-risk action alone, thereby preventing fraud or error by splitting critical tasks across multiple roles. In this scenario, one manager cannot both initiate and approve the transaction, which directly aligns with SoD's goal of distributing responsibility.

Exam trap

ISC2 often tests the distinction between Dual Control and Separation of Duties, where Dual Control implies simultaneous action (e.g., two keys turned together) while Separation of Duties implies sequential or divided responsibilities, causing candidates to mistakenly choose Dual Control when the question describes sequential approval.

How to eliminate wrong answers

Option A (Least Privilege) is wrong because it focuses on granting users only the minimum permissions needed to perform their job, not on requiring multiple approvals for a single action. Option B (Need-to-Know) is wrong because it restricts access to data based on necessity for a specific task, not on enforcing collaborative authorization for transactions. Option C (Dual Control) is wrong because while it involves two individuals, it is a subset of Separation of Duties that specifically requires simultaneous action (e.g., two keys turned at once), whereas the question describes sequential approval by two managers, which is classic Separation of Duties.

16
MCQhard

During a security audit, it is discovered that a contractor has access to customer databases that were not required for their project. Which step should be taken first to mitigate the risk?

A.Notify the contractor's manager
B.Revoke the contractor's access immediately
C.Perform a risk assessment
D.Log the access for evidence
AnswerB

Revoking access immediately stops the unauthorized access and reduces risk.

Why this answer

The immediate priority is to revoke the contractor's access to the unauthorized customer databases to stop any potential data exfiltration or misuse. Access controls follow the principle of least privilege, and any discovered over-provisioning must be corrected instantly to contain the risk. Delaying revocation for notification, assessment, or logging leaves the sensitive data exposed to an unauthorized user.

Exam trap

ISC2 often tests the candidate's ability to prioritize containment over investigation or notification, trapping those who choose risk assessment or logging first instead of immediate access revocation.

How to eliminate wrong answers

Option A is wrong because notifying the contractor's manager does not remove the active access; the contractor can still query or exfiltrate data while the notification is processed. Option C is wrong because performing a risk assessment is a secondary step that should occur after access is revoked; leaving access in place during assessment violates the security principle of containment. Option D is wrong because logging access for evidence is important for forensics but does not mitigate the ongoing risk; the access must be terminated first to prevent further unauthorized actions.

17
MCQmedium

An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?

A.Implement mandatory access control (MAC) with labels for all data.
B.Use role-based access control (RBAC) to grant permissions specific to each administrator's duties.
C.Allow administrators to self-assign permissions as needed.
D.Assign each administrator full database admin rights for simplicity.
AnswerB

RBAC aligns with least privilege by scoping permissions to roles.

Why this answer

Role-based access control (RBAC) directly enforces the principle of least privilege by granting database administrators only the permissions required for their specific job functions. Unlike MAC, which focuses on data classification labels, RBAC maps roles (e.g., backup admin, security admin) to precise sets of privileges, ensuring no user has unnecessary access.

Exam trap

ISC2 often tests the distinction between MAC (which controls access based on data labels) and RBAC (which controls access based on job roles), and the trap here is that candidates mistakenly choose MAC because they associate 'least privilege' with strict classification systems, not realizing that RBAC is the practical, role-specific mechanism for limiting database administrator permissions.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) enforces system-wide security labels (e.g., Top Secret, Secret) and is typically used in military or high-security environments; it does not granularly restrict permissions based on an administrator's specific duties, and it can be overly complex for database administration. Option C is wrong because allowing administrators to self-assign permissions violates the principle of least privilege entirely, as it gives them unchecked authority to escalate their own access. Option D is wrong because assigning full database admin rights to every administrator directly contradicts least privilege by granting excessive, unrestricted access to all database resources, increasing the risk of accidental or malicious damage.

18
MCQeasy

An organization implements an access control system where users are assigned to groups, and permissions are granted to groups rather than individuals. This is known as:

A.Mandatory Access Control (MAC)
B.Role-Based Access Control (RBAC)
C.Discretionary Access Control (DAC)
D.Attribute-Based Access Control (ABAC)
AnswerB

RBAC uses roles/groups to manage permissions efficiently.

Why this answer

Role-Based Access Control (RBAC) assigns permissions to roles (or groups) rather than to individual users. Users are then made members of these roles, inheriting the permissions associated with the role. This matches the description in the question, where users are assigned to groups and permissions are granted to those groups.

Exam trap

ISC2 often tests the distinction between RBAC and ABAC by describing group-based assignment (RBAC) versus policy-based evaluation of multiple attributes (ABAC), leading candidates to confuse the two when the question mentions 'attributes' or 'policies'.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) enforces access based on system-wide security labels (e.g., classification levels) and is not based on user group membership. Option C is wrong because Discretionary Access Control (DAC) allows individual resource owners to set permissions on their objects, typically using Access Control Lists (ACLs), not by assigning users to groups with predefined permissions. Option D is wrong because Attribute-Based Access Control (ABAC) evaluates policies based on multiple attributes (user, resource, environment) at the time of access, not on static group membership.

19
MCQeasy

A help desk technician needs to reset a user's password, but the security policy requires that the technician does not know the new password. Which access control concept prevents the technician from knowing the password?

A.Discretionary access control (DAC)
B.Need to know
C.Least privilege
D.Separation of duties
AnswerB

Need to know ensures users only access information required for their job tasks.

Why this answer

The 'need to know' concept restricts access to information based on whether the user requires that information to perform their job functions. In this scenario, the technician must reset the password but does not need to know the new password itself, so the policy enforces that the technician cannot view or retain the new password. This is distinct from least privilege, which limits permissions to the minimum necessary, but does not inherently prevent knowledge of the password if the technician has the reset permission.

Exam trap

ISC2 often tests the distinction between 'least privilege' and 'need to know' by presenting a scenario where a user has permissions but should not know the data, leading candidates to mistakenly choose least privilege because it sounds similar, when 'need to know' specifically addresses knowledge of the information itself.

How to eliminate wrong answers

Option A is wrong because discretionary access control (DAC) allows the resource owner to set permissions, which does not inherently prevent the technician from knowing the password; it focuses on owner-based control, not on limiting knowledge. Option C is wrong because least privilege ensures the technician has only the minimum permissions needed (e.g., the ability to reset passwords), but it does not specifically prevent the technician from seeing the new password; a technician with reset rights could still view it unless a separate control like 'need to know' is applied. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud (e.g., one person resets, another sets the password), but the scenario describes a single technician performing the reset, not a split of responsibilities.

20
MCQhard

A financial firm has a data center with strict access controls. Employees must use smart cards and PINs to enter a mantrapped entrance. Recently, an unauthorized person gained access by following an employee through the mantrapped door (tailgating). The security team reviews logs and finds that the door was opened twice in quick succession, indicating tailgating occurred. The firm wants to implement a solution that prevents tailgating without slowing down authorized access. Which action should they take?

A.Require employees to log access requests in advance
B.Install a biometric scanner that requires fingerprint and retina scan
C.Implement a turnstile that allows only one person per smart card authentication
D.Increase the number of security guards at the entrance
AnswerC

Turnstiles physically enforce one person per credential, directly preventing tailgating.

Why this answer

Option C is correct because a turnstile physically enforces one-person-per-authentication by rotating only after a valid smart card read and allowing a single passage, then locking until the next authentication. This directly prevents tailgating without adding delay, as each authorized user passes through at their own pace without needing additional steps like biometric scans or pre-approval.

Exam trap

ISC2 often tests the distinction between detection (e.g., logs, cameras) and prevention (e.g., turnstiles, mantrap doors), so candidates mistakenly choose biometric or procedural options that only detect or deter rather than physically block tailgating.

How to eliminate wrong answers

Option A is wrong because requiring advance access logs does not physically prevent tailgating; it only creates an audit trail after the fact, and the unauthorized person could still follow an employee through the door. Option B is wrong because biometric scanners (fingerprint and retina) add significant authentication time and user friction, slowing down authorized access, and they still do not prevent a second person from slipping through immediately after the first is authenticated. Option D is wrong because increasing security guards is a personnel-based solution that is costly, inconsistent, and still relies on human vigilance to spot tailgating, which can fail during busy periods or distraction.

21
MCQeasy

Which authentication factor does a smart card represent?

A.Something you know
B.Something you have
C.Somewhere you are
D.Something you are
AnswerB

Smart cards are physical tokens.

Why this answer

A smart card is a physical device that stores cryptographic keys or certificates, making it a classic 'something you have' factor. It requires possession of the card to authenticate, even if the user knows a PIN, because the PIN unlocks the card but does not replace the physical possession requirement.

Exam trap

ISC2 often tests the distinction between 'something you have' and 'something you know' by including a PIN as part of smart card usage, leading candidates to mistakenly classify it as 'something you know' instead of recognizing the card itself as the primary factor.

How to eliminate wrong answers

Option A is wrong because 'something you know' refers to knowledge-based factors like passwords or PINs, not a physical device. Option C is wrong because 'somewhere you are' is a location-based factor typically verified via GPS or IP geolocation, not a smart card. Option D is wrong because 'something you are' refers to biometric traits like fingerprints or iris scans, which are inherent to the user, not a separate physical token.

22
MCQmedium

After a reorganization, a company using RBAC finds that many users have accumulated permissions that no longer align with their job functions. What is the best practice to address this?

A.Assign permissions directly to each user based on their manager's request
B.Create new roles for each new position and assign users to them
C.Conduct a quarterly review and recertification of role memberships and permissions
D.Delete all existing permissions and re-add them based on current job descriptions
AnswerC

Periodic recertification aligns RBAC with changing job functions.

Why this answer

Option C is correct because conducting a quarterly review and recertification of role memberships and permissions is the industry-standard practice for maintaining the principle of least privilege in an RBAC system. This process ensures that role assignments are periodically validated against current job functions, removing accumulated permissions that no longer align with user responsibilities. It directly addresses permission creep by enforcing a formal, auditable lifecycle for role membership.

Exam trap

ISC2 often tests the misconception that a one-time cleanup (Option D) or ad-hoc direct assignments (Option A) are sufficient, when the real requirement is a continuous, auditable recertification process to maintain least privilege over time.

How to eliminate wrong answers

Option A is wrong because assigning permissions directly to each user bypasses the RBAC model entirely, leading to user-specific permission assignments that are difficult to audit, manage, and revoke, which exacerbates permission creep rather than resolving it. Option B is wrong because creating new roles for each new position without reviewing existing roles leads to role explosion, increasing administrative overhead and making the RBAC model less scalable and harder to maintain. Option D is wrong because deleting all existing permissions and re-adding them based on current job descriptions is a disruptive, high-risk approach that can cause immediate access outages and does not provide a sustainable, recurring process for managing role membership changes.

23
MCQhard

A company uses a mandatory access control (MAC) system where all files are labeled 'Confidential', 'Secret', or 'Top Secret'. A user with 'Secret' clearance tries to read a 'Top Secret' file. What is the outcome?

A.Access is allowed because the user has a legitimate need
B.Access is denied because the user's clearance is lower than the file's classification
C.Access is denied only if the file also has a category
D.Access is allowed because the user has Secret clearance
AnswerB

The simple security property prohibits reading up.

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the user's clearance level with the file's classification label. Since the user has 'Secret' clearance and the file is labeled 'Top Secret', the clearance is lower than the file's classification, so access is denied. This follows the fundamental MAC principle of 'no read up' (simple security property) in Bell-LaPadula model.

Exam trap

ISC2 often tests the misconception that 'need to know' or user role overrides clearance in MAC, but MAC strictly enforces clearance versus classification without considering discretionary permissions or need.

How to eliminate wrong answers

Option A is wrong because MAC does not consider 'need to know' or legitimate need; access is strictly based on clearance versus classification labels. Option C is wrong because categories are optional in MAC and their presence does not change the fact that clearance must meet or exceed the classification; denial occurs regardless of categories. Option D is wrong because 'Secret' clearance is lower than 'Top Secret', so access is denied, not allowed.

24
Multi-Selecthard

A security analyst is troubleshooting an access control issue where a user cannot access a file even though they seem to have the correct permissions. Which three of the following should the analyst investigate? (Select THREE)

Select 3 answers
A.File ownership
B.Password expiration
C.Group membership of the user
D.Deny permissions
E.Network connectivity
AnswersA, C, D

File ownership can affect permissions, especially in systems with owner-specific privileges.

Why this answer

File ownership (A) is correct because Linux and Windows access control models (POSIX ACLs, NTFS) check the file's owner and group before applying permissions. If the user is not the owner or in the owning group, the 'other' permissions apply, which may deny access even if the user has a seemingly matching permission entry. The analyst must verify the file's owner and group against the user's identity.

Exam trap

ISC2 often tests the misconception that 'effective permissions' are simply the sum of all allow entries, when in fact deny permissions explicitly override allows, and group membership must be checked recursively (including nested groups).

25
Multi-Selecthard

Which THREE components are part of the AAA framework?

Select 3 answers
A.Authentication
B.Accountability
C.Auditing
D.Accounting
E.Authorization
AnswersA, D, E

Verifies user identity.

Why this answer

Authentication is correct because the AAA framework (Authentication, Authorization, and Accounting) uses authentication to verify the identity of a user or device before granting access. This is typically done via credentials such as username/password, digital certificates, or tokens, and is the first step in the AAA process.

Exam trap

ISC2 often tests the distinction between 'Accounting' and 'Auditing' — candidates confuse the two because both involve logs, but Accounting is the collection of data (e.g., start/stop records), while Auditing is the analysis of that data, which is not part of the AAA framework.

26
MCQhard

In a defense-in-depth strategy, which access control mechanism provides the most granular control over user permissions?

A.Network segmentation
B.Access control lists (ACLs) on files
C.Physical security controls
D.Firewall rules
AnswerB

ACLs provide fine-grained control over who can read, write, or execute individual files.

Why this answer

Access control lists (ACLs) on files provide the most granular control because they allow permissions to be set at the individual file or object level, specifying exactly which users or groups can read, write, execute, or modify that specific resource. This is in contrast to broader mechanisms like network segmentation or firewall rules, which operate at the network or subnet level and cannot distinguish between individual files within a system. ACLs are a fundamental component of discretionary access control (DAC) and are implemented in file systems such as NTFS, ext4, and ZFS.

Exam trap

ISC2 often tests the distinction between network-level controls (like firewall rules and segmentation) and system-level controls (like file ACLs), leading candidates to mistakenly choose a network mechanism when the question asks for the most granular control over user permissions on a resource.

How to eliminate wrong answers

Option A is wrong because network segmentation divides a network into smaller segments to limit lateral movement, but it does not control permissions on individual files or objects—it operates at Layer 2/3 and cannot enforce user-level granularity on a file. Option C is wrong because physical security controls (e.g., locks, biometrics, guards) protect the physical environment and assets, but they cannot differentiate between users accessing specific files on a system; they are a coarse, perimeter-level control. Option D is wrong because firewall rules filter traffic based on IP addresses, ports, and protocols at Layers 3/4 (and sometimes Layer 7), but they do not manage permissions on files or objects within an operating system—they control network access, not user permissions on resources.

27
MCQmedium

After a security audit, a company discovers that several employees have access to financial systems that are not required for their job roles. Which access control model would best prevent this issue in the future?

A.Mandatory access control (MAC)
B.Discretionary access control (DAC)
C.Role-based access control (RBAC)
D.Attribute-based access control (ABAC)
AnswerC

RBAC aligns permissions with job roles, preventing unnecessary access.

Why this answer

Role-based access control (RBAC) assigns permissions based on job roles, ensuring users have only the access needed for their role. DAC allows owners to give access arbitrarily, which could lead to over-provisioning. MAC is rigid and label-based, not ideal for dynamic business needs.

ABAC is flexible but more complex to implement than RBAC for this scenario.

28
MCQhard

In a Bell-LaPadula MAC model, which of the following operations is prohibited?

A.A Top Secret subject reads a Confidential object
B.A Top Secret subject reads a Top Secret object
C.A Top Secret subject writes to a Top Secret object
D.A Top Secret subject writes to an Unclassified object
AnswerD

Write down is prohibited.

Why this answer

In the Bell-LaPadula model, the *-property (star property) prohibits a subject from writing to an object at a lower classification level. A Top Secret subject writing to an Unclassified object would cause a downgrade of sensitive information, violating this property. Therefore, option D is the prohibited operation.

Exam trap

ISC2 often tests the misconception that the *-property (no write down) applies to writing to higher-level objects, when in fact it only restricts writing to lower-level objects, and candidates may confuse it with the simple security property (no read up).

How to eliminate wrong answers

Option A is wrong because the simple security property (no read up) allows a Top Secret subject to read a Confidential object, as it reads down. Option B is wrong because reading an object at the same classification level (Top Secret) is permitted under both the simple security property and the *-property. Option C is wrong because writing to an object at the same classification level (Top Secret) is allowed by the *-property, as it does not involve a downgrade.

29
Multi-Selecteasy

Which TWO of the following are examples of physical access controls?

Select 2 answers
A.Encryption
B.Biometric scanners
C.Smart cards
D.Intrusion Prevention Systems (IPS)
E.Firewalls
AnswersB, C

Biometrics are physical attributes used for authentication.

Why this answer

Biometric scanners (Option B) are physical access controls because they authenticate individuals based on unique biological traits (e.g., fingerprints, iris patterns) to grant or deny entry to a physical space, such as a server room or data center. This is a tangible, hardware-based mechanism that directly controls physical access, aligning with the definition of physical access controls in the CC exam.

Exam trap

ISC2 often tests the distinction between physical controls (tangible, hardware-based mechanisms that restrict physical access) and logical/technical controls (software or network-based protections), causing candidates to mistakenly classify encryption or firewalls as physical controls.

30
MCQmedium

A user reports that they are unable to access a shared network drive that they previously could access. The administrator checks permissions and finds the user's account is still a member of the correct group. What should the administrator check next?

A.Group membership inheritance
B.User account lockout status
C.Check for explicit deny permissions on the folder
D.Effective permissions
AnswerC

Deny entries override allows and can cause access issues even with correct group membership.

Why this answer

Even if group membership is correct, explicit deny permissions can override allow permissions. Checking for deny entries on the folder is a logical next step. User lockout would affect all accesses.

Effective permissions would show the combined result but checking for denies is more direct. Password expiration is a login issue, not a permissions issue.

31
MCQhard

Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?

A.The condition is evaluated as OR instead of AND.
B.The time condition is evaluated as BETWEEN 09:00 and 17:00 exclusive.
C.The policy is misconfigured with effect Deny.
D.The user's device attribute is incorrectly set to Windows.
AnswerD

If the device OS attribute is wrong, the condition might be satisfied.

Why this answer

Option D is correct because the policy likely includes a device attribute condition (e.g., device.os == 'Windows') that must be satisfied for the Deny effect to apply. Since the user is on a macOS device, the condition evaluates to false, so the Deny is not enforced, and the default Allow (or a broader Allow rule) permits write access. This is a common misconfiguration where the device attribute is set incorrectly, causing unintended access.

Exam trap

ISC2 often tests the nuance that a Deny rule with unmet conditions does not block access—candidates mistakenly assume a Deny rule always denies, but in policy engines, a rule only applies if all its conditions are true; otherwise, the engine falls through to the next rule or default action.

How to eliminate wrong answers

Option A is wrong because the exhibit shows a single condition block; if multiple conditions were present, they would be ANDed by default in Cisco ISE or similar policy engines, not ORed, so this does not explain the behavior. Option B is wrong because the time condition 'BETWEEN 09:00 and 17:00' in Cisco policy engines is inclusive of both endpoints (09:00 and 17:00), not exclusive; 10:00 AM falls within the inclusive range, so the Deny would apply if time were the only factor. Option C is wrong because the policy is configured with effect Deny, but the issue is that the Deny is not being triggered due to a condition mismatch; the policy itself is not misconfigured in terms of effect—it is the condition that fails to match.

32
MCQmedium

A system administrator notices that a user has been granted read and write permissions to a folder but should only have read access. Which type of access control issue does this represent?

A.Excessive permissions
B.Segregation of duties conflict
C.Authorization creep
D.Incomplete revocation
AnswerA

Excessive permissions directly describe having more rights than required.

Why this answer

Excessive permissions occur when a user or group is granted more privileges than necessary for their role. In this scenario, the user has read and write access to a folder but should only have read access, meaning the write permission is unnecessary and violates the principle of least privilege. This is a classic example of excessive permissions, as the user has been over-provisioned beyond their job requirements.

Exam trap

ISC2 often tests the distinction between authorization creep (gradual accumulation over time) and excessive permissions (a one-time over-provisioning), so candidates may confuse the two when the scenario describes a single incorrect assignment.

How to eliminate wrong answers

Option B is wrong because segregation of duties conflicts involve splitting critical tasks among multiple users to prevent fraud or error, not a single user having extra permissions. Option C is wrong because authorization creep refers to the gradual accumulation of permissions over time due to role changes or transfers, not a one-time misassignment of write access. Option D is wrong because incomplete revocation occurs when permissions are not fully removed after a user no longer needs them, whereas here the user was never supposed to have write access in the first place.

33
MCQhard

Refer to the exhibit. A user from the Auditors group is unable to access the folder. What is the most likely cause?

A.The user is not a member of the Auditors group
B.A deny entry for Auditors overrides the allow
C.The Auditors group has only read permission, which is insufficient
D.The folder is encrypted
AnswerB

The deny entry explicitly blocks read access, causing the failure despite the allow.

Why this answer

In NTFS permissions, a Deny entry explicitly blocks access and takes precedence over any Allow entries, regardless of the order in which they are applied. Since the user is a member of the Auditors group, the Deny entry for that group overrides any Allow permissions the user might have individually or through other group memberships. This is the most likely cause of the access failure.

Exam trap

ISC2 often tests the principle that Deny entries override Allow entries in NTFS permissions, and the trap here is that candidates mistakenly think the order of permission entries or the most specific permission wins, rather than recognizing that Deny always takes precedence.

How to eliminate wrong answers

Option A is wrong because the user is explicitly stated to be from the Auditors group, so they are a member. Option C is wrong because even if the Auditors group has only Read permission, that would still allow the user to access the folder (read contents), but the user cannot access it at all, indicating a Deny is in effect. Option D is wrong because encryption (e.g., EFS) would not prevent access if the user has the proper decryption key; the scenario points to a permission conflict, not encryption.

34
Multi-Selectmedium

Which TWO are characteristics of Role-Based Access Control (RBAC)?

Select 2 answers
A.Users are assigned to roles, and inherit permissions from those roles.
B.Object owners can delegate permissions to others.
C.Access decisions are based on security labels.
D.It enforces a centralized policy that cannot be overridden by users.
E.Permissions are assigned to roles, not individual users.
AnswersA, E

Role assignment is fundamental to RBAC.

Why this answer

Option A is correct because RBAC defines roles that group specific permissions, and users are assigned to these roles. When a user is added to a role, they automatically inherit all permissions associated with that role, simplifying administration and ensuring consistent access rights across the organization.

Exam trap

ISC2 often tests the distinction between RBAC and DAC by presenting delegation of permissions (Option B) as a plausible RBAC feature, when in fact it belongs to DAC.

35
MCQhard

When implementing a role-based access control (RBAC) system, what is the primary challenge organizations face?

A.Managing password complexity
B.Ensuring users do not share passwords
C.Role explosion
D.Defining roles that align with job functions
AnswerC

Role explosion leads to administrative overhead and is a frequent pitfall in RBAC.

Why this answer

Role explosion is the primary challenge in RBAC because as organizations grow, the number of distinct roles can proliferate rapidly, leading to administrative overhead, complexity in role management, and potential security gaps. This occurs when roles are defined too granularly or for every unique combination of permissions, making it difficult to maintain least privilege and audit access. Proper RBAC design requires careful role engineering to minimize the number of roles while still mapping to job functions.

Exam trap

ISC2 often tests the misconception that the main difficulty in RBAC is defining roles themselves, when in fact the real operational challenge is controlling role proliferation (role explosion) after initial implementation.

How to eliminate wrong answers

Option A is wrong because managing password complexity is a concern of authentication mechanisms, not RBAC, which focuses on authorization after authentication. Option B is wrong because ensuring users do not share passwords is an authentication policy issue, unrelated to the role-based access control model. Option D is wrong because defining roles that align with job functions is actually a fundamental requirement of RBAC, not a primary challenge; the challenge arises when too many roles are created (role explosion), not from the initial definition itself.

36
MCQmedium

Refer to the exhibit. The file is readable and writable by everyone. A user from the marketing team, user2, needs to be able to read the file but not write to it. Which command should the administrator use to achieve this?

A.chmod 664 project_data.txt
B.chmod 755 project_data.txt
C.chmod 644 project_data.txt
D.chmod 600 project_data.txt
AnswerC

644 sets read/write for owner, read for group and others, so user2 can read but not write.

Why this answer

Option C is correct because `chmod 644` sets the file permissions to `rw-r--r--`, which grants read and write to the owner, read-only to the group, and read-only to others. Since the file is initially readable and writable by everyone (likely `666`), changing to `644` removes write access for the group and others while preserving read access for all, meeting the requirement that user2 (a marketing team member, presumably in the group or others category) can read but not write.

Exam trap

ISC2 often tests the misconception that `chmod 664` is the standard 'read and write for owner and group, read-only for others' when in fact it grants write to the group, which would allow user2 to write if they are in the group, so candidates must carefully consider the user's group membership and the exact requirement of 'read but not write'.

How to eliminate wrong answers

Option A is wrong because `chmod 664` sets permissions to `rw-rw-r--`, which gives read and write to both the owner and group, but user2 might be in the group, allowing write access, which violates the requirement. Option B is wrong because `chmod 755` sets permissions to `rwxr-xr-x`, which grants execute permission to everyone, unnecessarily allowing execution and potentially write access to the owner only, but it does not specifically restrict write for user2 if they are in the group or others. Option D is wrong because `chmod 600` sets permissions to `rw-------`, which removes all read and write access for the group and others, preventing user2 from reading the file, which fails the requirement.

37
Multi-Selecthard

Which THREE are valid methods for authenticating a user in an access control system?

Select 3 answers
A.User ID
B.Fingerprint scan
C.Password
D.Smart card
AnswersB, C, D

Fingerprint is inherence factor.

Why this answer

A fingerprint scan is a valid authentication method because it falls under 'something you are' (biometric authentication). In access control systems, biometrics like fingerprint scans provide a high level of assurance by verifying a unique physical characteristic of the user, making it a strong factor for authentication.

Exam trap

ISC2 often tests the distinction between identification (e.g., User ID) and authentication (e.g., password, biometric, smart card), and the trap here is that candidates mistakenly treat a User ID as an authentication factor rather than just an identifier.

38
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

39
MCQmedium

A system administrator needs to grant a contractor temporary access to a server for patching. The contractor should only have access during the patching window. Which access control implementation method is most appropriate?

A.Time-based ACL (rule-based access control)
B.Group-based permissions with a recurring schedule
C.Discretionary access control (DAC)
D.Mandatory access control (MAC)
AnswerA

Time-based ACLs restrict access to specific time windows, ideal for temporary access.

Why this answer

Time-based ACLs (rule-based access control) allow the administrator to define a specific time range during which the contractor's access is permitted. This directly matches the requirement for temporary access only during the patching window, as the ACL can be configured with a time-range object that automatically enables and disables the permit statement without manual intervention.

Exam trap

ISC2 often tests the distinction between rule-based access control (RBAC) with time-based ACLs and group-based permissions, where candidates mistakenly choose group-based permissions because they think 'recurring schedule' implies time control, but group-based permissions lack the precise time-range enforcement at the network layer.

How to eliminate wrong answers

Option B is wrong because group-based permissions with a recurring schedule typically apply to user group memberships and do not provide the granular, time-bound enforcement at the network or system level that a time-based ACL offers. Option C is wrong because discretionary access control (DAC) allows the resource owner to grant permissions arbitrarily, which does not inherently enforce a time-limited access window. Option D is wrong because mandatory access control (MAC) uses system-wide labels and security clearances, which are static and not designed for temporary, time-based access exceptions.

40
MCQmedium

Which component of the AAA framework determines what resources an authenticated user can access?

A.Auditing
B.Accounting
C.Authorization
D.Authentication
AnswerC

Authorization determines access rights.

Why this answer

Authorization is the component of the AAA (Authentication, Authorization, Accounting) framework that determines what resources an authenticated user can access. After authentication verifies the user's identity, authorization enforces policies—such as those defined in a local database or via RADIUS/TACACS+—to permit or deny access to specific network services, commands, or resources.

Exam trap

ISC2 often tests the distinction between authentication and authorization by presenting a scenario where a user is successfully logged in but cannot access a resource, and candidates mistakenly blame authentication instead of recognizing that authorization is the missing step.

How to eliminate wrong answers

Option A is wrong because auditing is not a separate AAA component; it is often part of accounting or logging, and it reviews past actions rather than controlling real-time access. Option B is wrong because accounting tracks and logs user activities (e.g., session time, data transfer) for billing or auditing, but it does not decide what resources a user can access. Option D is wrong because authentication only verifies identity (e.g., via username/password, certificate, or token) and does not grant or deny access to specific resources.

41
MCQeasy

An organization implements a policy where users must swipe their ID card and enter a PIN to access a secure room. This is an example of which access control principle?

A.Biometric authentication
B.Single-factor authentication
C.Multifactor authentication
D.Role-based access control
AnswerC

Two factors: card (possession) and PIN (knowledge).

Why this answer

Option C is correct because the policy requires two distinct factors: something you have (the ID card) and something you know (the PIN). This combination of multiple authentication factors from different categories is the defining characteristic of multifactor authentication (MFA).

Exam trap

ISC2 often tests the distinction between authentication factors and authorization models, so the trap here is confusing multifactor authentication (which is about verifying identity) with role-based access control (which is about granting permissions after identity is verified).

How to eliminate wrong answers

Option A is wrong because biometric authentication relies on unique physical characteristics like fingerprints or iris scans, not on possession of an ID card or knowledge of a PIN. Option B is wrong because single-factor authentication uses only one type of credential, whereas this scenario uses two distinct factors. Option D is wrong because role-based access control (RBAC) governs authorization based on job roles, not the authentication method used to verify identity.

42
MCQeasy

Refer to the exhibit. A user with this policy tries to list objects in bucket1 but gets an access denied error. What is the most likely reason?

A.The policy does not grant s3:ListBucket permission
B.The resource ARN should include the bucket itself
C.The effect should be Deny
D.The user lacks encryption keys
AnswerA

Listing objects requires the ListBucket action, which is not included.

Why this answer

The policy shown grants s3:GetObject permission, which allows reading individual objects, but does not include s3:ListBucket permission. Listing objects in a bucket requires the s3:ListBucket action on the bucket resource. Without this permission, the user receives an access denied error when attempting to list objects, even if they can read objects directly.

Exam trap

ISC2 often tests the distinction between bucket-level and object-level S3 permissions, trapping candidates who assume that granting GetObject on objects automatically allows listing the bucket.

How to eliminate wrong answers

Option B is wrong because the resource ARN in the policy already specifies the bucket itself (arn:aws:s3:::bucket1/*), and adding the bucket without the wildcard would not grant ListBucket permission; the missing action is the core issue. Option C is wrong because changing the effect to Deny would explicitly block access, not resolve the denied error; the policy currently has an Allow effect, which is correct for granting permissions. Option D is wrong because encryption keys are unrelated to S3 bucket listing permissions; the error is due to missing IAM policy permissions, not encryption key access.

43
MCQeasy

An organization wants to ensure that no single employee can both request and approve a payment. Which access control principle does this enforce?

A.Separation of duties
B.Least privilege
C.Need to know
D.Defense in depth
AnswerA

Separation of duties divides critical functions among multiple people.

Why this answer

Separation of duties (SoD) is the access control principle that prevents a single individual from having conflicting permissions, such as both requesting and approving a payment. By splitting the payment lifecycle into distinct roles (e.g., requester vs. approver), the organization enforces a dual-control mechanism that reduces the risk of fraud or error. This is commonly implemented in financial systems using role-based access control (RBAC) where the 'payment request' and 'payment approval' roles are mutually exclusive.

Exam trap

ISC2 often tests the confusion between 'separation of duties' and 'least privilege' because both limit user capabilities, but the trap is that least privilege reduces the scope of permissions for a single user while separation of duties divides a critical process across multiple users.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on granting only the minimum permissions necessary to perform a job function, not on splitting conflicting tasks across multiple people. Option C (Need to know) is wrong because it restricts access to data based on whether it is required for a specific task, not on preventing a single user from holding two conflicting functional roles. Option D (Defense in depth) is wrong because it describes a layered security architecture (e.g., firewalls, IDS, encryption) rather than a principle for segregating duties within a process.

44
MCQeasy

What is the primary purpose of identification in the context of access control?

A.To grant permissions to resources
B.To verify the identity of the user
C.To record user activities
D.To claim an identity
AnswerD

Identification provides a claimed identity (e.g., username).

Why this answer

In access control, identification is the process by which a user claims an identity (e.g., by providing a username or account name). It is distinct from authentication, which verifies that claim. The primary purpose of identification is to assert who you are, not to prove it.

Exam trap

ISC2 often tests the distinction between identification (claiming an identity) and authentication (proving that identity), so candidates mistakenly select 'To verify the identity of the user' (Option B) because they conflate the two steps.

How to eliminate wrong answers

Option A is wrong because granting permissions to resources is the function of authorization, not identification. Option B is wrong because verifying the identity of the user is the purpose of authentication, which typically follows identification. Option C is wrong because recording user activities is the role of accounting (auditing), not identification.

45
MCQhard

You are the security administrator for a mid-sized e-commerce company. The company uses a Linux-based web server running Apache, with a MySQL database backend. User authentication is handled via LDAP. Recently, the security team discovered that a former employee's account was used to access the customer database two weeks after the employee was terminated. The account had not been disabled. The database contains personally identifiable information (PII). The incident was traced to an internal IP address from the marketing department. The marketing department's network segment is not segregated from the database server. Additionally, the database server's firewall rules allow any internal IP to connect to the MySQL port (3306). The company has a written policy that accounts must be disabled within 24 hours of termination, but the HR department did not notify IT in a timely manner. Which combination of controls would BEST prevent a recurrence of this incident?

A.Deploy a database activity monitoring (DAM) solution that alerts on unusual queries, and require strong passwords for all database accounts.
B.Implement a firewall rule to block all traffic from the marketing network to the database server, and require all database access to go through a bastion host.
C.Integrate HR system with identity management to automatically disable accounts upon termination, and implement network segmentation with a firewall that restricts database access to only authorized application servers.
D.Implement two-factor authentication for all database access, and conduct quarterly access reviews.
AnswerC

Automated account disablement prevents use of terminated accounts; segmentation limits lateral movement.

Why this answer

Option B addresses both the user provisioning issue (automated account disablement) and the network access issue (segmentation and least privilege). Option A only addresses one aspect. Option C focuses on monitoring but not prevention.

Option D adds unnecessary complexity and does not directly fix the root causes.

46
Multi-Selecthard

A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)

Select 2 answers
A.Authorization
B.Identification
C.Non-repudiation
D.Authentication
E.Auditing
AnswersA, D

Authorization determines access rights; it is a core AAA component.

Why this answer

The AAA framework consists of Authentication, Authorization, and Accounting. Authentication verifies the identity of a user or device (e.g., via RADIUS or TACACS+). Authorization determines what resources or actions the authenticated entity is permitted to access (e.g., via privilege levels or ACLs).

Accounting tracks and logs user activities for auditing and billing purposes. Therefore, Authorization (A) and Authentication (D) are two of the three core components of AAA.

Exam trap

ISC2 often tests that candidates confuse 'Identification' with 'Authentication' or think 'Auditing' is a core AAA component instead of 'Accounting', leading them to select B or E incorrectly.

47
MCQeasy

Which access control model uses subject and object labels to enforce access based on a security policy?

A.Discretionary Access Control (DAC)
B.Attribute-Based Access Control (ABAC)
C.Mandatory Access Control (MAC)
D.Role-Based Access Control (RBAC)
AnswerC

MAC uses labels and a central policy to control access.

Why this answer

Mandatory Access Control (MAC) enforces access decisions based on security labels assigned to subjects (users/processes) and objects (files/resources). The system, not the user, controls access by comparing these labels against a security policy, such as Bell-LaPadula or Biba. This is why MAC is the correct answer for label-based enforcement.

Exam trap

ISC2 often tests the misconception that ABAC uses labels (since attributes can be labels), but the key distinction is that MAC uses mandatory, system-enforced labels tied to a security policy, whereas ABAC evaluates attribute-based rules dynamically without fixed subject/object labels.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows the owner of an object to set permissions at their discretion, using Access Control Lists (ACLs) or owner-based rights, not system-enforced labels. Option B is wrong because Attribute-Based Access Control (ABAC) uses attributes (e.g., user role, time, location) evaluated against policies, but it does not rely on fixed subject/object labels as the primary enforcement mechanism. Option D is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'admin', 'viewer'), not on security labels that compare subject and object classifications.

48
Multi-Selectmedium

Which TWO are principles of access control?

Select 2 answers
A.Separation of duties
B.Security through obscurity
C.Multifactor authentication
D.Single sign-on (SSO)
E.Least privilege
AnswersA, E

Principle that no single person has excessive control.

Why this answer

Separation of duties is a principle of access control that prevents any single individual from having excessive control over critical processes by dividing tasks and privileges among multiple people. This reduces the risk of fraud or error, as collusion is required to bypass controls. It is a foundational concept in security frameworks like NIST SP 800-53 and is often enforced through role-based access control (RBAC) policies.

Exam trap

ISC2 often tests the distinction between access control principles (like least privilege and separation of duties) and access control mechanisms or technologies (like multifactor authentication and SSO), causing candidates to confuse a method for a principle.

49
Matchingmedium

Match each authentication factor to an example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Password

Smart card

Fingerprint

GPS location

Why these pairings

These are factors in multi-factor authentication (MFA).

50
MCQhard

In a MAC environment implementing Bell-LaPadula, a subject with Secret clearance attempts to read an object classified as Confidential and write to an object classified as Top Secret. Which operations are permitted?

A.Read denied, write allowed
B.Both read and write allowed
C.Read allowed, write denied
D.Both read and write denied
AnswerB

Read down (Secret→Confidential) and write up (Secret→Top Secret) are both permitted.

Why this answer

In Bell-LaPadula, the Simple Security Property (no read up) prevents a subject from reading an object at a higher classification, but reading down is allowed. The *-Property (no write down) prevents writing to a lower classification, but writing up is allowed. Since the subject has Secret clearance, reading Confidential (lower) is permitted, and writing to Top Secret (higher) is permitted, so both operations are allowed.

Exam trap

ISC2 often tests the misconception that both read and write must be at the same clearance level, but Bell-LaPadula actually allows reading down and writing up, not the reverse.

How to eliminate wrong answers

Option A is wrong because it claims read is denied, but reading down (Secret reading Confidential) is allowed by the Simple Security Property. Option C is wrong because it claims write is denied, but writing up (Secret writing to Top Secret) is allowed by the *-Property. Option D is wrong because it claims both are denied, but both operations are actually permitted under Bell-LaPadula rules.

51
MCQeasy

A small business uses a cloud file storage service that allows sharing links. An employee mistakenly shared a folder containing customer data via a public link. The business wants to prevent such incidents in the future without blocking legitimate sharing. Which access control method should they implement?

A.Disable all external sharing
B.Require authentication for shared links
C.Use watermarking on documents
D.Encrypt all files
AnswerB

Authentication limits access to authorized users only, preventing public exposure.

Why this answer

Requiring authentication for shared links ensures that only intended recipients can access the data, reducing the risk of public exposure. Disabling all sharing is too restrictive. Watermarking and encryption do not prevent sharing to unauthorized users.

52
MCQmedium

A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?

A.Need-to-know
B.Separation of duties
C.Least privilege
D.Job rotation
AnswerB

Separation of duties requires multiple people to complete a sensitive task.

Why this answer

Separation of duties (SoD) is an access control concept that requires a critical task, such as a financial transaction, to be split into multiple steps performed by different individuals. This prevents any single employee from having the authority to both initiate and approve a transaction, thereby reducing the risk of fraud or error. In this scenario, the policy directly enforces SoD by ensuring that no one person can complete the entire process alone.

Exam trap

ISC2 often tests candidates by confusing separation of duties with least privilege, as both involve limiting user actions, but the key distinction is that separation of duties requires multiple people to complete a task, while least privilege only limits the permissions of a single user.

How to eliminate wrong answers

Option A is wrong because need-to-know restricts access to information based on an individual's job requirements, not on splitting tasks among multiple people. Option C is wrong because least privilege grants users only the minimum permissions necessary to perform their job, but it does not require a second person to approve an action. Option D is wrong because job rotation moves employees between roles over time to cross-train and reduce boredom, but it does not enforce a dual-authority requirement for a single transaction.

53
MCQmedium

A government agency uses a multi-level security system with mandatory access control (MAC). A user with Secret clearance attempts to write data to a file classified as Confidential. Under the Bell-LaPadula model, which rule applies and what is the outcome?

A.The simple security property (no read up) denies the operation
B.The *-property allows the operation because the user is writing down
C.The simple security property allows the operation because the user's clearance is higher
D.The *-property (no write down) denies the operation
AnswerD

The *-property prohibits high clearances from writing to lower classifications.

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) with two primary rules: the simple security property (no read up) and the *-property (no write down). In this scenario, a user with Secret clearance attempts to write to a Confidential file, which is a write-down operation. The *-property prohibits writing to a lower classification to prevent the leakage of higher-classified information, so the operation is denied.

Option D correctly identifies this rule and outcome.

Exam trap

ISC2 often tests the confusion between the simple security property (no read up) and the *-property (no write down), leading candidates to mistakenly apply the read rule to a write operation or assume that higher clearance allows writing down.

How to eliminate wrong answers

Option A is wrong because the simple security property (no read up) governs read operations, not write operations, and here the user is writing, not reading. Option B is wrong because the *-property does not allow write-down; it explicitly prohibits writing to a lower classification to maintain confidentiality. Option C is wrong because the simple security property allows read-down, not write-down, and it does not permit writing to a lower classification based on clearance level.

54
Multi-Selectmedium

Which TWO scenarios best illustrate the principle of least privilege?

Select 2 answers
A.Regular employees can install software on their workstations
B.The CEO has root access to all servers
C.An administrator uses a separate standard account for daily work and an admin account only when needed
D.All users have full control over shared folders
E.A user has only the permissions required to perform their job
AnswersC, E

Running with minimal privileges reduces risk.

Why this answer

Option C is correct because it demonstrates the principle of least privilege by using a separate standard user account for daily tasks and elevating to an administrative account only when necessary. This minimizes the attack surface by ensuring that administrative privileges are not active during routine activities, reducing the risk of accidental system changes or malware execution with elevated rights. In Windows environments, this is commonly implemented via User Account Control (UAC) and the use of a standard vs. administrator account.

Exam trap

ISC2 often tests the misconception that 'least privilege' means giving users the minimum permissions to do their job, but candidates may confuse it with 'separation of duties' or think that granting root access to executives is acceptable because they are trusted, which is a trap.

55
MCQhard

An organization wants to implement a system that enforces access decisions based on a user's attributes (e.g., department, clearance, time) and environmental conditions. Which model is best?

A.Role-based access control (RBAC)
B.Attribute-based access control (ABAC)
C.Discretionary access control (DAC)
D.Mandatory access control (MAC)
AnswerB

ABAC uses attributes and policies for fine-grained, context-aware decisions.

Why this answer

Attribute-based access control (ABAC) is the correct model because it evaluates access decisions based on a combination of user attributes (e.g., department, clearance), resource attributes, and environmental conditions (e.g., time of day, location). Unlike RBAC, which relies solely on predefined roles, ABAC uses policies that can incorporate dynamic factors like current time or threat level, making it ideal for fine-grained, context-aware enforcement.

Exam trap

ISC2 often tests the misconception that RBAC can handle dynamic conditions like time or location, but RBAC only maps users to roles with static permissions, whereas ABAC explicitly evaluates environmental attributes as part of the access decision.

How to eliminate wrong answers

Option A is wrong because RBAC assigns permissions based on static roles, not on user attributes or environmental conditions, so it cannot enforce time-based or clearance-level decisions dynamically. Option C is wrong because DAC allows resource owners to set permissions at their discretion, lacking centralized policy control and the ability to incorporate environmental attributes like time. Option D is wrong because MAC enforces access based on fixed security labels (e.g., classification levels) and system-wide rules, not on user-specific attributes or environmental conditions, making it inflexible for attribute-driven policies.

56
Drag & Dropmedium

Drag and drop the steps to implement a firewall rule allowing inbound HTTPS traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HTTPS uses TCP port 443; rules must specify zones and be saved.

57
MCQmedium

A hospital uses role-based access control (RBAC) for its electronic health records. Nurses can view patient records; doctors can view and edit; administrators can only view administrative data. Recently, a nurse was able to edit a patient's record, which should only be allowed for doctors. The investigation finds that the nurse's role was incorrectly assigned a 'doctor' role due to a misconfiguration. To prevent recurrence, the access control system should be reviewed. Which is the best long-term solution?

A.Implement mandatory access control (MAC) with security labels
B.Remove the nurse's ability to edit records
C.Implement user behavior analytics to detect anomalies
D.Conduct quarterly role reviews and recertification
AnswerD

Regular reviews ensure roles are correctly assigned, preventing misconfigurations over time.

Why this answer

Option D is correct because the root cause is a role misconfiguration, and the best long-term solution is to implement a process of periodic role reviews and recertification. This ensures that role assignments are regularly audited and validated against current job responsibilities, preventing role creep and unauthorized privilege accumulation. In RBAC, the principle of least privilege is maintained through ongoing governance, not through a one-time fix.

Exam trap

ISC2 often tests the distinction between reactive fixes (like removing a single user's permission) and systemic governance processes (like periodic recertification), trapping candidates who choose a quick technical fix instead of a long-term administrative control.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) uses system-enforced security labels (e.g., classification levels) and is not designed to fix a role misconfiguration in an RBAC system; it would require a complete architectural change and does not address the need for periodic role validation. Option B is wrong because removing the nurse's ability to edit records is a reactive, short-term fix that does not prevent future misconfigurations or other role assignment errors; it treats the symptom, not the systemic issue. Option C is wrong because user behavior analytics (UBA) can detect anomalous activity after it occurs, but it does not prevent the underlying misconfiguration or ensure correct role assignments; it is a detective control, not a preventive or corrective control for role management.

58
MCQhard

An IAM policy is shown in the exhibit. Which action is permitted for the attached user?

A.Get an object from bucket2
B.Get an object from bucket1
C.List the objects in bucket1
D.Delete an object from bucket2
AnswerB

s3:GetObject on bucket1/* is explicitly allowed.

Why this answer

The IAM policy grants the `s3:GetObject` action on the ARN `arn:aws:s3:::bucket1/*`, which permits retrieving objects from bucket1. The `Deny` effect for `s3:DeleteObject` on bucket2 does not affect the `Allow` for `s3:GetObject` on bucket1. Therefore, the attached user can get an object from bucket1.

Exam trap

ISC2 often tests the distinction between object-level actions (like `s3:GetObject`) and bucket-level actions (like `s3:ListBucket`), trapping candidates who assume that reading an object implies the ability to list the bucket's contents.

How to eliminate wrong answers

Option A is wrong because the policy only allows `s3:GetObject` on bucket1, not bucket2; bucket2 is only referenced in a Deny statement for `s3:DeleteObject`, which does not grant any read access. Option C is wrong because the policy does not include the `s3:ListBucket` action, which is required to list objects in a bucket; `s3:GetObject` only permits reading individual objects, not listing. Option D is wrong because the policy explicitly denies `s3:DeleteObject` on bucket2, and an explicit Deny overrides any Allow.

Ready to test yourself?

Try a timed practice session using only Access Controls questions.