CC · topic practice

Access Controls Concepts practice questions

Practise ISC2 Certified in Cybersecurity CC Access Controls Concepts practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Access Controls Concepts

What the exam tests

What to know about Access Controls Concepts

Access Controls Concepts questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Access Controls Concepts exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Access Controls Concepts questions

20 questions · select your answer, then reveal the explanation

An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?

A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?

Which access control model uses subject and object labels to enforce access based on a security policy?

A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?

An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?

Which TWO are characteristics of Role-Based Access Control (RBAC)?

Which THREE are valid methods for authenticating a user in an access control system?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

You are the security administrator for a mid-sized e-commerce company. The company uses a Linux-based web server running Apache, with a MySQL database backend. User authentication is handled via LDAP. Recently, the security team discovered that a former employee's account was used to access the customer database two weeks after the employee was terminated. The account had not been disabled. The database contains personally identifiable information (PII). The incident was traced to an internal IP address from the marketing department. The marketing department's network segment is not segregated from the database server. Additionally, the database server's firewall rules allow any internal IP to connect to the MySQL port (3306). The company has a written policy that accounts must be disabled within 24 hours of termination, but the HR department did not notify IT in a timely manner. Which combination of controls would BEST prevent a recurrence of this incident?

A company is implementing an access control system to protect sensitive data. Employees in the finance department must access financial records, but only during business hours and from company-issued devices. Which access control model best supports these requirements?

Question 10hardmulti select
Study the full AAA explanation →

A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)

Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.
```
Policy Name: FinanceApp Access
Subject: user role
Resource: /finance/data
Action: read, write
Condition: time between 09:00 and 17:00 AND device.os == "Windows"
Effect: Permit
```
Question 12mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to implement a firewall rule allowing inbound HTTPS traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each security control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discourages potential attackers

Blocks unauthorized access

Identifies and logs incidents

Restores after an incident

Alternative control when primary is not feasible

Match each authentication factor to an example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Password

Smart card

Fingerprint

GPS location

A system administrator needs to grant a user the ability to read files in a specific folder but not modify them. Which access control principle should be applied?

A financial company requires that any transaction over $10,000 must be approved by two different managers before being processed. This is an example of which access control principle?

During a security audit, it is discovered that a contractor has access to customer databases that were not required for their project. Which step should be taken first to mitigate the risk?

An organization implements an access control system where users are assigned to groups, and permissions are granted to groups rather than individuals. This is known as:

A user reports that they are unable to access a shared network drive that they previously could access. The administrator checks permissions and finds the user's account is still a member of the correct group. What should the administrator check next?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Access Controls Concepts sessions

Start a Access Controls Concepts only practice session

Every question in these sessions is drawn from the Access Controls Concepts domain — nothing else.

Related practice questions

Related CC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CC exam test about Access Controls Concepts?
Access Controls Concepts questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Access Controls Concepts questions in a focused session?
Yes — the session launcher on this page draws every question from the Access Controls Concepts domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CC topics?
Use the topic links above to move to related areas, or go back to the CC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CC exam covers. They are not copied from any real exam or dump site.