Which of the following is the primary purpose of a visitor log and escort policy?
Visitor logs and escorts track and control visitor movement.
Why this answer
Visitor management controls physical access and ensures visitors are monitored.
75 of 110 questions · Page 1/2 · Cc Access Controls topic · Answers revealed
Which of the following is the primary purpose of a visitor log and escort policy?
Visitor logs and escorts track and control visitor movement.
Why this answer
Visitor management controls physical access and ensures visitors are monitored.
A security administrator is configuring access rights for a new employee. Which principle ensures the employee is granted only the minimum permissions necessary to perform their job duties?
Least privilege grants only the minimum permissions needed for job functions.
Why this answer
Least privilege means granting only the minimum permissions needed, reducing the blast radius of account compromise.
According to NIST SP 800-63 recommendations for password policies, which THREE practices are recommended? (Select THREE.)
This supports use of password managers, which generate strong passwords.
Why this answer
NIST SP 800-63 recommends checking passwords against breached lists, setting minimum length (8+ characters, 15+ for high assurance), and avoiding frequent forced changes unless compromised.
According to NIST SP 800-63, which password policy is most recommended?
Length and breach checking align with NIST recommendations.
Why this answer
NIST SP 800-63 emphasizes password length over complexity and discourages frequent mandatory changes.
In Active Directory, a GPO is used to enforce a policy that automatically locks user sessions after 15 minutes of inactivity. This is an example of which type of access control?
Session timeouts are logical controls enforced by the OS.
Why this answer
Session timeouts are logical access controls that reduce risk of unauthorized access from unattended workstations.
A security analyst notices multiple failed login attempts from a single IP address within a short period. Which control would best mitigate this brute force attack?
Correct. Account lockout triggers after a set number of failures.
Why this answer
Account lockout disables an account after a threshold of failed attempts, thwarting brute force attacks.
An organization wants to implement defense in depth for its server room. Which THREE controls should be included?
Cable locks prevent physical theft of equipment.
Why this answer
Defense in depth uses multiple overlapping controls. These three represent different layers.
Which access control principle restricts access to data based on the user's job role and tasks?
Correct. Need-to-know ensures users only access data required for their job.
Why this answer
Need-to-know restricts access to data only when necessary for job tasks, separate from least privilege which focuses on permissions.
An organisation implements an account lockout policy that locks an account after 5 failed login attempts within 15 minutes. This control is designed to prevent:
Lockout stops repeated guessing attempts.
Why this answer
Account lockout mitigates brute-force password guessing attacks.
An organization is designing a privileged access management (PAM) solution. Which THREE of the following are best practices for managing privileged accounts? (Select three.)
Admins should only have permissions necessary for their role.
Why this answer
PAM best practices include using separate admin accounts, monitoring privileged sessions, and applying least privilege. Sharing passwords and storing them in plaintext are security risks.
An employee is assigned a user account with read-only access to the sales database. However, the employee's job requires viewing only customer contact information, not sales figures. Which access control principle is being violated?
Even with read-only access, the employee should only access data required for their role.
Why this answer
Need-to-know restricts access to only the data necessary for job functions, separate from the permissions level (least privilege). Here, the employee has permissions to read data they do not need.
Which of the following is an example of a logical access control?
Password policies enforce logical controls.
Why this answer
Logical access controls are technology-based mechanisms like passwords, biometrics, and ACLs.
In the identification and authentication process, which step occurs first?
Identification is the first step, such as entering a username.
Why this answer
Identification is the claim of identity (e.g., username) before authentication proves it.
What is the process of claiming an identity called?
Identification is the claim of identity.
Why this answer
Identification is the act of claiming an identity, such as providing a username.
A system administrator has an account with full administrative privileges. To reduce risk, the organization implements a policy requiring the admin to use a separate, non-privileged account for daily tasks like email and web browsing. This practice aligns with which principle?
Using a separate daily account with limited privileges embodies least privilege for admins.
Why this answer
Least privilege for administrators means using a separate admin account only when needed, limiting exposure of high-privilege credentials.
Which access control principle ensures that a user is granted only the minimum permissions necessary to perform their job functions?
Least privilege grants the minimum permissions required to perform a role.
Why this answer
Least privilege limits permissions to reduce the potential damage from accidents or attacks.
An organization's password policy requires passwords to be at least 8 characters long and prohibits common passwords found in breach databases. This policy aligns with which guideline?
NIST SP 800-63 recommends length over complexity and breach checking.
Why this answer
NIST SP 800-63 recommends favoring length over complexity, minimum 8 characters, and checking passwords against known breached lists.
An organization is implementing a visitor management policy. Which THREE should be included? (Select THREE.)
Badges identify visitors and distinguish them from employees.
Why this answer
Visitor management typically includes sign-in, escort policies, and visitor badges to track and control visitor access.
An LDAP distinguished name is formatted as: CN=John Smith,OU=Sales,DC=company,DC=com. What does OU represent?
OU is standard abbreviation for Organizational Unit.
Why this answer
OU stands for Organizational Unit, a container within a directory tree.
Which of the following is an example of a logical access control?
Password policy governs logical access to systems.
Why this answer
Logical access controls are software-based mechanisms that regulate access to systems or data.
Which of the following is a recommended practice for administrative accounts?
Separation reduces exposure.
Why this answer
Admins should have a separate account for privileged tasks to reduce risk.
According to NIST SP 800-63, which password policy is recommended to enhance security?
Length and breach checking are recommended by NIST.
Why this answer
NIST SP 800-63 recommends favoring long passwords over complex ones and avoiding frequent forced changes.
A company requires that financial transactions be approved by two different managers before execution. This is an example of which access control principle?
Correct. Separation of duties prevents fraud by requiring multiple approvals.
Why this answer
Separation of duties ensures no single individual can complete a high-risk action alone.
An organization implements a policy requiring employees to use a separate administrator account for privileged tasks and a different account for daily activities. Which principle does this support?
Using separate admin accounts limits privileges to only what's needed for admin tasks.
Why this answer
Least privilege for administrators reduces the risk from compromised daily accounts.
An organization is designing a defense-in-depth strategy for physical security. Which of the following are examples of layered physical controls? (Choose THREE.)
External perimeter control.
Why this answer
Defense in depth uses multiple layers: perimeter, building, room, and equipment controls.
A security architect is designing an access control policy based on the principle of need-to-know. Which TWO practices support this principle? (Select TWO.)
Labels help determine who needs access.
Why this answer
Need-to-know means only accessing data necessary for job functions. Data classification and role-based access help enforce this.
Which TWO of the following correctly describe components of a directory service distinguished name (DN) in LDAP? (Select two.)
OU (Organizational Unit) is a valid DN component.
Why this answer
In LDAP, a distinguished name uses CN (Common Name), OU (Organizational Unit), and DC (Domain Component). CN=John Smith and OU=Sales are valid components.
An LDAP distinguished name is written as: CN=John Smith,OU=Sales,DC=company,DC=com. What do the 'OU' and 'DC' components represent?
Correct.
Why this answer
OU = Organizational Unit, DC = Domain Component.
Which of the following is an example of a logical access control?
Correct. Password policies are logical controls.
Why this answer
A password is a logical (software-based) control that authenticates users.
A security auditor discovers that a user's account has been granted full access to all financial databases, even though the user only needs to view quarterly reports. Which access control principle has been violated most directly?
The user has more permissions than needed, violating least privilege.
Why this answer
Least privilege requires granting only the minimum permissions necessary to perform job functions.
A Privileged Access Management (PAM) solution is used to:
PAM focuses on privileged accounts with elevated rights.
Why this answer
PAM solutions control, monitor, and audit privileged access to critical systems.
An organization uses a layered security approach: perimeter fencing, access badge readers at building entrances, biometric scanners in server rooms, and cable locks on laptops. This strategy best exemplifies which access control concept?
Multiple overlapping physical controls create defense in depth.
Why this answer
Defense in depth employs multiple, overlapping layers of security controls to protect assets; if one layer fails, others still provide protection.
An organization requires that financial transactions over $10,000 be approved by two different managers. This is an example of which access control principle?
Correct. This requirement enforces separation of duties.
Why this answer
Separation of duties ensures that no single individual has complete control over a critical action, reducing the risk of fraud or error.
Which of the following is an example of a logical access control?
Passwords are logical controls that authenticate users.
Why this answer
Logical access controls are technology-based mechanisms that restrict access to systems and data, such as passwords.
Which TWO are examples of logical access controls? (Select TWO.)
Password policies are logical controls implemented in software.
Why this answer
Logical controls are software-based. Passwords and account lockout are logical.
A company configures its firewall to block all inbound traffic except for specific necessary services. This approach aligns with which access control principle?
Deny by default, allow only necessary traffic is least privilege for networks.
Why this answer
Least privilege in network security means denying all traffic except explicitly allowed.
An organization configures account lockout after 5 failed login attempts within 15 minutes. This control is designed to mitigate which type of attack?
Lockout stops automated password guessing by limiting attempts.
Why this answer
Account lockout thresholds (typically 3-10 attempts) help prevent brute-force attacks by temporarily disabling the account after repeated failures.
In the context of identification and authentication, which of the following is an example of authentication?
A biometric scan proves the claimed identity, thus authentication.
Why this answer
Authentication is the process of proving a claimed identity. Providing a fingerprint matches the user's biometric data, verifying identity.
A company requires all visitors to sign in, wear a visible badge, and be escorted while on premises. This is an example of:
Visitor management includes sign-in, badges, and escorts.
Why this answer
Visitor management procedures help control physical access of non-employees.
Which type of access control is implemented by a cable lock attached to a laptop?
Correct. Cable locks are physical.
Why this answer
Cable locks are physical security controls that prevent theft.
A company's physical security includes fencing, security guards, access badges, and biometric locks on server room doors. This layered approach is an example of which access control concept?
Defense in depth is the strategy of using multiple security layers.
Why this answer
Defense in depth uses multiple overlapping physical and logical controls to protect assets.
A session timeout automatically logs out a user after a period of inactivity. This control primarily protects against:
Session timeouts reduce risk of session hijacking if user walks away.
Why this answer
Session timeouts prevent unauthorized access from an unattended active session.
An employee uses their username to claim an identity and then enters a password to prove it. What is the term for the process of proving the claimed identity?
Authentication verifies the claimed identity.
Why this answer
Authentication is the process of proving a claimed identity (e.g., via password, biometric).
A company is implementing separation of duties for financial transactions. Which of the following are examples of this principle? (Choose TWO.)
Dual control over purchases.
Why this answer
Separation of duties requires multiple people to complete a critical task to prevent fraud.
A security administrator is configuring a session timeout policy. Which of the following are valid reasons for implementing session timeouts? (Choose TWO.)
Shorter timeouts reduce the time an attacker can use a stolen session.
Why this answer
Session timeouts mitigate unauthorized access from unattended sessions and reduce risk of session hijacking.
Which THREE are key components of Active Directory? (Select THREE.)
Users are objects representing individuals.
Why this answer
Active Directory includes users, groups, and organizational units (OUs). LDAP is a protocol, not a component.
An organization uses fencing, bollards, and lighting around the perimeter, guards at the main entrance, and biometric readers on server room doors. This approach is an example of:
Multiple overlapping physical controls (fencing, guards, biometrics) exemplify defense in depth.
Why this answer
Defense in depth employs multiple layers of security to protect assets.
Which TWO of the following are recommended practices for managing privileged accounts? (Select TWO.)
Correct. Separation reduces risk.
Why this answer
Separating admin accounts from daily accounts and using PAM solutions are key practices.
In an LDAP directory, an entry is represented as 'CN=John Smith,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?
CN is Common Name, representing the object's name.
Why this answer
In LDAP, CN stands for Common Name, which is a component of the distinguished name.
A security architect is designing controls to protect a data center. Which TWO of the following are examples of physical access controls? (Select TWO.)
Biometric reader is a physical control (hardware).
Why this answer
Physical access controls include barriers and objects that physically restrict entry.
An account lockout policy is implemented to protect against which type of attack?
Correct. Lockout mitigates brute-force attempts.
Why this answer
Account lockout detects and prevents brute-force attacks by disabling the account after a threshold of failed attempts.
In a directory service like Active Directory, which component is used to organize users, groups, and computers into a hierarchical structure for applying policies?
OUs are containers that organize objects and allow GPO linking.
Why this answer
Organizational Units (OUs) are containers in Active Directory that allow hierarchical organization and Group Policy application.
A security administrator is implementing controls to protect a server room. Which TWO physical security layers should be included as part of a defense-in-depth strategy? (Select TWO.)
Fencing is an external perimeter layer.
Why this answer
Defense in depth uses multiple layers. External perimeter (fencing) and internal server room (biometric) are distinct layers.
Which of the following best describes the purpose of a session timeout?
Session timeouts terminate idle sessions to prevent unauthorized use.
Why this answer
Session timeouts automatically log out idle users after a period of inactivity, reducing the risk of unauthorized access if a user leaves a session open.
A user enters a username and password to access a system. Which phase of the access control process does entering the username represent?
The username identifies who the user claims to be.
Why this answer
Identification is the act of claiming an identity (e.g., username).
An organization wants to ensure that even if an attacker compromises a user's account, the damage is limited. Which principle is most directly applied?
Least privilege minimizes permissions, reducing potential damage.
Why this answer
Least privilege reduces the blast radius of an account compromise.
In a directory service using LDAP, what is the distinguished name (DN) for a user named John Smith in the Sales organizational unit of the company domain company.com?
Correct. This follows the LDAP DN syntax: CN, OU, DC.
Why this answer
The DN format includes CN (common name), OU (organizational unit), and DC (domain components) in order from specific to general.
A security administrator is configuring a system to prevent unauthorized access after a user leaves their workstation unattended. Which access control mechanism should be implemented?
Correct. Session timeout automatically logs out idle users.
Why this answer
Session timeouts automatically log out idle users to prevent unauthorized access.
A company's security policy requires that employees use only the minimum permissions needed to perform their job functions. This practice reduces the potential impact if an account is compromised. Which TWO access control principles are being applied?
Need-to-know restricts access to data required for the job.
Why this answer
Least privilege ensures users have only the permissions necessary for their role. Need-to-know complements it by limiting access to data that is essential for job duties. Both principles reduce the blast radius of account compromise.
A security administrator is configuring user permissions and ensures that each user has only the minimum rights needed to perform their job. Which access control principle is the administrator applying?
Least privilege ensures users have only the minimum permissions required.
Why this answer
Least privilege grants users only the permissions necessary to perform their tasks, reducing the potential impact of account compromise.
An LDAP distinguished name (DN) is written as 'CN=John Smith,OU=Sales,DC=company,DC=com'. What does 'CN' represent?
CN stands for Common Name.
Why this answer
In LDAP, CN stands for Common Name, which is typically the user's name.
According to NIST SP 800-63, which password policy is most effective for user authentication?
Correct. This aligns with NIST guidance: favor length, avoid forced changes unless compromised, and screen against known breaches.
Why this answer
NIST SP 800-63 recommends favoring longer passwords (15+ characters for high assurance) over complexity, and avoiding frequent forced changes unless compromised.
A security administrator is configuring user permissions and wants to ensure that each user has only the access rights necessary to perform their job. Which principle is being applied?
Correct. Least privilege ensures users have only the access needed for their roles.
Why this answer
Least privilege means granting only the minimum permissions needed for a user to perform their job, reducing the potential impact of a compromised account.
A security administrator is reviewing physical access controls. Which control is considered an external perimeter security measure?
Fencing is a typical external perimeter control.
Why this answer
External perimeter controls include fencing, bollards, and lighting to deter or delay intruders.
What is the primary purpose of a Privileged Access Management (PAM) solution?
Correct. PAM manages privileged accounts, including session recording and just-in-time access.
Why this answer
PAM controls and monitors the use of privileged accounts (e.g., admin) to reduce risk of misuse or compromise.
A security analyst is reviewing physical security controls. Which TWO are considered layered physical security measures for external perimeter protection?
Fencing is a perimeter barrier.
Why this answer
Fencing and lighting are external perimeter controls.
An administrator configures a Group Policy Object (GPO) in Active Directory to enforce account lockout after 5 failed attempts within 15 minutes. Which type of control is this?
Correct. Lockout is enforced by the operating system or application, a logical control.
Why this answer
Logical access controls are software-based mechanisms that govern access to systems. Account lockout policies are logical controls.
A security auditor is reviewing access controls at a financial institution. The auditor identifies a scenario where one employee can initiate a payment transaction, and the same employee can also approve it. Which access control principle is being violated, and what is the primary risk?
Correct. Separation of duties prevents a single person from performing conflicting tasks, reducing fraud risk.
Why this answer
Separation of duties requires that no single person has the ability to complete a high-risk action without another person's involvement. The scenario describes a violation of this principle, which increases the risk of fraud because an individual could both initiate and approve a fraudulent payment without oversight.
A security analyst is reviewing access control mechanisms. Which TWO of the following are examples of logical access controls? (Select two.)
Smart cards are logical controls for authentication.
Why this answer
Logical access controls are technology-based mechanisms. Passwords and smart cards are logical; fences and guards are physical.
An organization uses a Privileged Access Management (PAM) solution. Which of the following is a primary benefit of PAM?
PAM provides oversight and control over admin accounts.
Why this answer
PAM solutions monitor, control, and audit privileged account usage, reducing risk of misuse.
Which process involves verifying the identity of a user who claims to be a specific person?
Correct. Authentication verifies the claimed identity.
Why this answer
Authentication is the process of proving a claimed identity, typically with passwords, biometrics, or tokens.
Which principle ensures that a user is granted only the permissions necessary to perform their job functions, thereby reducing the potential impact of a compromised account?
Correct. Least privilege grants only the minimum permissions needed.
Why this answer
Least privilege limits permissions to the minimum required, reducing the blast radius if an account is compromised.
An account lockout policy is designed to mitigate which type of attack?
Lockout stops repeated password guessing.
Why this answer
Account lockout prevents brute force attacks by disabling the account after several failed attempts.
Which TWO of the following are components of the identification and authentication process? (Select TWO.)
Password is an authentication factor.
Why this answer
Identification claims an identity; authentication proves it.
A security team is designing a visitor management policy. Which TWO of the following are essential components? (Select TWO.)
Correct. Escort policy ensures visitors are supervised.
Why this answer
Visitor sign-in and escort policy are core to visitor management.
Ready to test yourself?
Try a timed practice session using only Cc Access Controls questions.