Domain 5 CISSP Exam: Identity and Access Management

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 5: Identity and Access Management

1 / 90

What does IAL3 require for identity proofing?

A. Submission of identity documentation and proofing remotely

B. Self-assertion of identity

C. Physical presence, presentation of highly reliable identity evidence, and formal review by trained CSP staff

D. Submission of identity documentation and proofing in person by the CSP

2 / 90

What is vertical privilege escalation?

A. An attack that grants access to systems or resources the user is not authorized for

B. An attack seeking to gain increased privileges on a system

C. An attack method that exploits improperly configured IAM tools or features like roles

D. A nonhuman account designed to perform specific functions

3 / 90

Which of the following access control models provides specific permissions based on job functions?

A. Rule-based access control

B. Discretionary access control

C. Role-based access control

D. Attribute-based access control

4 / 90

What makes risk-based access control models different from other models?

A. They assume that risks do not change over time

B. They require manual updates to access controls

C. They provide dynamic access control using a variety of parameters

D. They cannot respond to dynamic changes in real time

5 / 90

What is the primary reason for performing a usage review of user, system, and nonhuman accounts?

A. To spot unexpected system activity several times a year

B. To identify unwanted account permissions

C. To enforce accountability for system usage

D. To perform reviews when privileges are used

6 / 90

Which model can be helpful in identifying common need-to-know criteria and granting appropriate access, but not excessive, to applications?

A. Discretionary Access Control (DAC)

B. Mandatory Access Control (MAC)

C. Role-based Access Control (RBAC)

D. Attribute-based Access Control (ABAC)

7 / 90

What is the crossover error rate (CER) in access control systems?

A. The rate at which a system denies access to a subject that is properly authorized.

B. The rate at which a system grants access to a subject that is not authorized.

C. The rate at which Type 1 and Type 2 errors are equal.

D. The rate at which access controls incur costs to implement.

8 / 90

Which of the following is a function supported by an Identity management (IdM) system throughout the access management lifecycle?

A. Employee training and development

B. System monitoring

C. Authorization management

D. Incident response

9 / 90

Which of the following is NOT a process that a credential management system (CMS) should support?

A. Enrollment

B. Credential production

C. Authentication

D. Credential lifecycle management

10 / 90

What is a potential downside of decentralized IAM administration?

A. Lack of accountability

B. Inconsistent enforcement

C. Limited flexibility

D. Single point of failure

11 / 90

What is a common practice for countering risks to devices and the data they contain?

A. Device restriction

B. Containerization

C. Physical access control

D. Remote lock or wipe

12 / 90

What is the advantage of using a hybrid approach for Identity and Access Management?

A. Elimination of on-premise maintenance completely

B. Advanced and more secure management of credentials

C. Reduction of management overhead due to SSO

D. Limited risk exposure of internal resources

13 / 90

Which model can be helpful in identifying common need-to-know criteria and granting access that is appropriate but not excessive to applications?

A. Role-based access control (RBAC)

B. Discretionary access control (DAC)

C. Mandatory access control (MAC)

D. Attribute-based access control (ABAC)

14 / 90

What is the purpose of deprovisioning as it relates to account access?

A. To create user accounts

B. To review and approve access requests

C. To remove access when accounts are no longer needed

D. To identify new access needs

15 / 90

What is the difference between deprovisioning under hostile/involuntary circumstances and friendly/voluntary circumstances?

A. Access deprovisioning occurs more slowly in hostile/involuntary circumstances

B. Access deprovisioning requires less oversight in friendly/voluntary circumstances

C. Access deprovisioning procedures require faster action and more oversight in hostile/involuntary circumstances

D. Access deprovisioning procedures are the same in both hostile/involuntary and friendly/voluntary circumstances

16 / 90

What is the most common way of enforcing accountability in a system?

A. Strong authentication

B. Separation of duties

C. Logging and monitoring actions

D. Performing audits or reviews

17 / 90

Which of the following scenarios carries higher risk and requires faster deprovisioning and more oversight according to the text above?

A. Staff member resigns or retires

B. Staff member being let go at the companys decision

C. A users job changes

D. None of the above

18 / 90

What is the updated guidance for managing Type 1 authentication factors according to NIST SP 800-63B?

A. Use complex passwords with a mix of uppercase, lowercase, special, and numeric characters

B. Require frequent password changes to increase security

C. Use longer passphrases of common words without added complexity requirements

D. Implement passwords for system accounts where a program or script has the password stored

19 / 90

Which access control model can be helpful in identifying common need-to-know criteria for granting access to applications appropriately?

A. ABAC

B. RBAC

C. MAC

D. DAC

20 / 90

What does IAM consist of?

A. Processes and tools designed to grant access to all users

B. Processes and tools designed to restrict access to only unauthorized users

C. Processes and tools designed to restrict access to only properly authorized users

D. Processes and tools designed to guarantee absolute integrity

21 / 90

Which is a fundamental requirement for the security practitioner when it comes to information access control in order to protect specific pieces of information with different requirements over time?

A. Make changes to the document.

B. Determine the type or level of protection necessary.

C. Synchronize policies within the organization.

D. Publicize all information regardless of sensitivity.

22 / 90

What is the purpose of intrusion detection sensors in Physical Access Control Systems (PACSs)?

A. To prevent unauthorized access

B. To track and control the flow of assets

C. To respond to emergency situations

D. To identify if improper access has been gained

23 / 90

Which of the following is an implementation of confidentiality control in system-level Identity and Access Management (IAM)?

A. Authentication in IAM

B. Physical access controls at the facility level

C. Full disk encryption (FDE)

D. Logging of system actions and identifying information

24 / 90

In Kerberos, what is the function of the Key Distribution Center (KDC)?

A. It authenticates principles by exchanging encrypted data.

B. It provides a ticket to an authenticated principal.

C. It performs registration for new users and maintains the database of secret keys.

D. It grants access to a properly authenticated user.

25 / 90

What is Open Authorization (OAuth)?

A. An open protocol for secure authentication from web, mobile, and desktop applications.

B. An open protocol for secure authentication in a simple and standard method from web, mobile, and desktop applications.

C. An open protocol for secure authorization in a simple and standard method from web, mobile, and desktop applications.

D. An open protocol for secure authorization in a simple and standard method from web and mobile applications.

26 / 90

What is the difference between centralized and decentralized IAM administration?

A. Centralized IAM administration uses a dedicated access control function while decentralized IAM administration assigns access control decisions to system or information owners.

B. Centralized IAM administration assigns access control decisions to system or information owners while decentralized IAM administration uses a dedicated access control function.

C. Centralized IAM administration is more flexible than decentralized IAM administration.

D. Decentralized IAM administration offers very strict oversight and monitoring.

27 / 90

Which of the following physical access control methods is designed to explicitly limit the rate of access to a facility?

A. User identification

B. Fences and gates

C. Turnstile or mantrap

D. Locks and keys

28 / 90

Which of the following is an example of a logical access control?

A. Door lock

B. Fence

C. Password

D. Security camera

29 / 90

What is the purpose of preventing toxic role combinations in a properly designed RBAC model?

A. To reduce overhead in creating and managing authorizations for users.

B. To prevent malicious actions by users with administrative privileges.

C. To implement least privilege and preserve data integrity.

D. To align with business or organization objectives.

30 / 90

What is a common method for identifying people entering or leaving a secured area?

A. Infrared sensors

B. QR codes

C. Sonic sensors

D. Pressure sensors

31 / 90

What is the purpose of physical access controls like turnstiles and mantraps?

A. To prevent unauthorized access by requiring that users present separate credentials to enter a secure vestibule space and the main space

B. To detect intruders based on body heat, sounds, or movement

C. To identify and track people, vehicles, and other resources entering or leaving a secured area

D. To deter or prevent unwanted access and generate more intelligent alerts with CCTV surveillance

32 / 90

Which of the following statements best describes attribute-based access control (ABAC)?

A. ABAC is an access control model that uses license keys to grant access to users.

B. ABAC evaluates attributes about the subject and objects against a policy to make an access control decision.

C. ABAC is a binary access control model that allows or denies access based on a predefined list of roles.

D. ABAC is an authentication mechanism that requires users to provide multiple factors to access a system.

33 / 90

Which of the following processes is not supported by an Identity Management (IdM) system?

A. Provisioning

B. Deprovisioning

C. Identity review

D. Configuration management

34 / 90

What is session management?

A. The practice of tracking user accounts on web applications

B. The practice of initiating, managing, and terminating sessions

C. The practice of securing server-side sessions

D. The practice of authenticating users

35 / 90

Which of the following tasks is supported by an Identity Management (IdM) system in the access management lifecycle?

A. Secure socket interface management

B. Firewall configuration management

C. Authorization management

D. Data backup management

36 / 90

What is one of the main challenges of biometric authentication that security practitioners must consider?

A. The potential for biometric scanners to be easily compromised.

B. The fact that biometric systems are not accessible to disabled users.

C. The cultural acceptance of body part exposure required for biometric authentication.

D. The difficulty of updating biometric information if a users physical characteristics change.

37 / 90

What security objective does nonrepudiation support in IAM systems?

A. Confidentiality

B. Integrity

C. Authenticity

D. Availability

38 / 90

In SAML, what is the role of the identity provider (IdP)?

A. Make a request to a service provider (SP)

B. Authenticate and authorize the user

C. Provide resources to the user

D. Receive requests from the user agent

39 / 90

Which of the following is an example of Type 2 authentication?

A. Password

B. Fingerprint scan

C. Smartphone app

D. Security question answer

40 / 90

What are objects within the context of access control models?

A. Assets that do not require access control

B. Human users who require access to files or facilities

C. Non-human entities like systems, processes, and devices

D. Security attributes like confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA)

41 / 90

What is the minimum requirement for identity proofing in IAL1?

A. Verification of real-world identity by trained CSP staff

B. Submission of identity documentation and proofing either in-person or remotely by the CSP

C. Self-assertion of identity by the user

D. Presentation of highly reliable identity evidence like government-issued ID.

42 / 90

What is an emphasis of the updated guidance for managing Type 1 authentication factors?

A. Requirements for complex passwords with changing numbers

B. Use of short and easy to remember passwords

C. Increase in length of passphrases over complexity

D. Frequent password changes

43 / 90

Which physical access control element provides an opportunity to make an access decision?

A. Fences and gates

B. Intrusion detection sensors

C. Turnstile or mantrap

D. CCTV surveillance

44 / 90

Which security control can be used to enforce security policy restrictions such as the use of a complex passcode or encryption on a user device?

A. MAC

B. DAC

C. MFA

D. RBAC

45 / 90

What is the role of the Ticket Granting Server (TGS) in a Kerberos environment?

A. It authenticates users and services.

B. It performs the function of user registration and secret key management.

C. It provides service tickets to authenticated users.

D. It encrypts data exchanged between the user and the Kerberos server.

46 / 90

What is the highest level of assurance for identity proofing according to NIST SP 800-63-3?

A. IAL1

B. IAL2

C. IAL3

D. It is not specified in the text.

47 / 90

Which one of the following is NOT one of the four foundational elements of Identity and Access Management (IAM)?

A. Identification

B. Authentication

C. Authorization

D. Accountability

48 / 90

What is one of the primary risks associated with using a third-party IDaaS provider for access control?

A. Increased demand for collaboration among different teams, business units, and organizations

B. Custom methods for extending the IAM scheme to external entities

C. Potential loss of control and compromised identity and access management information in the event of a data breach

D. Reduced risk due to more robust uptime capabilities

49 / 90

Which of the following elements of Physical Access Control Systems (PACSs) allows for making an access decision by granting or denying access to authorized and unauthorized users?

A. Fences and gates

B. Turnstile or mantrap

C. Locks and keys

D. Secured doors

50 / 90

Which model is based on a list of predefined rules to determine authorization?

A. Rule-based access control

B. Role-based access control

C. Attribute-based access control

D. Mandatory access control

51 / 90

What is session hijacking?

A. When an attacker intercepts a session token and later uses it to impersonate an authorized user

B. When a user on the same network performs packet sniffing to steal session cookie information

C. When an attacker impersonates one of the authentic communicating parties

D. When web applications reuse session IDs

52 / 90

Which model can be helpful for identifying common need-to-know criteria in granting appropriate but not excessive access to applications?

A. Rule-based access control (RBAC)

B. Attribute-based access control (ABAC)

C. Discretionary access control (DAC)

D. Mandatory access control (MAC)

53 / 90

What is the purpose of intrusion detection sensors in a Physical Access Control System?

A. To identify authorized users entering a secured area

B. To track the flow of assets entering and leaving the facility

C. To deter unwanted access to a facility

D. To identify if improper access has been gained

54 / 90

Which of the following is an example of access in the context of access control?

A. Subject entering a facility

B. Object sharing its information with other objects

C. Subject being granted read and write access to a file

D. Object requiring protection of basic security attributes

55 / 90

Which of the following functionalities of an IdM supports oversight of identities and access by providing key details about the authorizations that are granted to an identity?

A. Authorization management

B. Deprovisioning

C. Identity review

D. Provisioning

56 / 90

Which of the following is a key functionality of Identity Management (IdM)?

A. Managing network infrastructure.

B. Managing cloud-based applications.

C. Facilitating password sharing.

D. Providing oversight of identities and access.

57 / 90

Which type of authentication system provides access to a set of files or one computer only?

A. LDAP or IDaaS

B. Remote access authentication system

C. Federated identity authentication system

D. Local authentication functions

58 / 90

What is an important consideration for device IAM?

A. All devices must be connected to the same network to ensure proper IAM.

B. An access control system should be configured to grant access to any device that attempts to sign in.

C. Proper endpoint security should be implemented to ensure access controls are applied with respect to the security of devices.

D. Any device that contains sensitive data should be quarantined and not allowed access to the organizations network.

59 / 90

What is one of the primary use cases for Just-In-Time (JIT) identity and access management?

A. To create user identities for all employees in an organization

B. To grant a user access to all systems upon joining an organization

C. To provision access based on a users role or job function

D. To automatically change a users credentials every 30 days

60 / 90

Which component of a Kerberos environment is responsible for performing registration for new users and maintaining the database of secret keys?

A. Principals

B. Authentication Server (AS)

C. Key Distribution Center (KDC)

D. Ticket Granting Server (TGS)

61 / 90

Which security objective of critical information can be supported through access controls by preventing unauthorized users from making changes to information?

A. Confidentiality

B. Integrity

C. Availability

D. Authenticity

62 / 90

Which of the following functionalities of an IdM system supports oversight of identities and access by providing key details about the authorizations that are granted to an identity?

A. Provisioning

B. Deprovisioning

C. Authorization management

D. Identity review

63 / 90

Which of the following is true regarding physical security measures for information system security within facilities?

A. Logical security controls are always sufficient to prevent unwanted data access regardless of the physical security measures.

B. Physical security measures are not important when discussing information system security.

C. Secure perimeter paradigm is a commonly used physical security measure for securing facilities.

D. Physical security measures for facilities are not necessary since they do not contain any critical information.

64 / 90

What is one advantage of using a cloud-based IDaaS solution for IAM in organizations with a cloud-first or cloud-native approach?

A. They provide better security controls for on-premise infrastructure.

B. They reduce administrative overhead associated with user provisioning for SaaS tools.

C. They require less hardware and software to manage legacy applications or services.

D. They offer more flexibility to manage federated access controls for external partners.

65 / 90

Which of the following is a weakness of biometric authentication that requires security practitioners to balance user and cultural requirements when designing authentication schemes?

A. Difficulty for disabled users to use biometric systems

B. Inability of users to easily change biometric data if the system is compromised

C. Changes in biometric data over time

D. Cultural acceptance of visible skin or public access to body parts

66 / 90

What is a primary concern for device Identity and Access Management (IAM)?

A. Ensuring devices are always updated with the latest software

B. Ensuring access is restricted to only authorized users

C. Allowing devices to connect to any network without restriction

D. Making sure devices are always accessible to all users

67 / 90

Which of the following is an effective way to isolate organization data from other apps on a personal device?

A. Remote lock or wipe

B. Device protection

C. Containerization

D. EDR software

68 / 90

Which protocol is generally implemented for controlling access to network infrastructure resources like routers?

A. RADIUS

B. 802.1X

C. TACACS+

D. AAA

69 / 90

Which of the following best describes the mandatory access control (MAC) model?

A. MAC model employs a dynamic and non-hierarchical approach to access control.

B. MAC model is often associated with data owners or others who enforce access control in a discretionary manner.

C. MAC model applies security labels to subjects and objects to systematically enforce access control.

D. MAC model allows users with a security label of Secret to access files labeled Top Secret.

70 / 90

What are the two popular approaches for implementing SSO?

A. Users log in to various websites using a single set of credentials

B. Users log in to a specific website using different credentials for each application

C. Users log in to a specific website using a single set of credentials or a single work resource like Microsoft 365 or Google Workspace collaboration platforms

D. Users do not need to log in to access any applications if using an SSO-enabled system

71 / 90

What is a primary advantage of federating identity management across organizations in a FIM scheme?

A. Increased security controls across organizations

B. Reduced security risks across organizations

C. Simplified administrative overhead of account management

D. Increased user access to multiple systems

72 / 90

In a Kerberos environment, what is the function of the Authentication Server (AS)?

A. It performs registration for new users and maintains the database of secret keys.

B. It provides a ticket to an authenticated principal, which allows them to make requests for service tickets.

C. It exchanges encrypted data to authenticate principles.

D. It allows kerberized applications to grant access to authenticated users.

73 / 90

Which of the following is a weakness of biometrics that requires the security practitioner to balance the needs for authentication and acceptance of a biometric solution in relation to cultural requirements?

A. Disabled users may have difficulty using biometric systems or even lack the needed body parts

B. Biometric scanners require visible skin and public access to body parts that may be culturally unacceptable

C. Some users may change their physical characteristics over time, causing false rejections

D. Users do not have an easy way to change biometrics if the authentication system is compromised

74 / 90

What is the purpose of device identification in Physical Access Control Systems (PACSs)?

A. To identify and track human beings entering or leaving a secured area

B. To identify and track vehicles entering or leaving a secured area

C. To identify and track nonhuman users throughout the facility or at ingress and egress points

D. To detect if improper access has been gained

75 / 90

According to the updated guidance in NIST SP 800-63B, what is preferred for Type 1 authentication factors, and why?

A. Complex passwords with multiple character types, to prevent attackers from guessing them

B. Passphrases that are longer but easier to remember, to prevent unintended user lockouts

C. Numeric PINs, as they are more secure than passwords or passphrases

D. Security questions, as they provide an additional layer of security

76 / 90

In a discretionary access control (DAC) model, who makes access decisions?

A. A centralized IT department

B. A designated security officer

C. The system or data owner

D. The end user

77 / 90

Which of the following is a weakness of biometrics that must be considered by security practitioners?

A. Biometric systems may be expensive to implement.

B. Biometric systems cannot detect fake credentials.

C. Biometric system may not be culturally acceptable.

D. Biometric systems do not require proper sanitization.

78 / 90

What is a primary concern in device IAM?

A. Ensuring physical access controls are in place for portable devices

B. Ensuring access is restricted to only authorized users

C. Ensuring all devices are equipped with EDR software

D. Ensuring all devices have strong passwords

79 / 90

What is the purpose of the Key Distribution Center (KDC) in a Kerberos realm?

A. To authenticate principals by exchanging encrypted data.

B. To maintain the database of secret keys and perform registration for new users.

C. To provide a ticket to an authenticated principal, which allows them to make requests for service tickets.

D. To grant access to a properly authenticated user.

80 / 90

What is the updated guidance for managing Type 1 authentication factors in NIST SP 800-63B?

A. Passwords must contain a mix of uppercase, lowercase, special, and numeric characters.

B. Longer passphrases of common words without added complexity requirements are preferred.

C. Passwords should be changed frequently.

D. Complex passwords are the most secure authentication factor.

81 / 90

What is the purpose of turnstiles and mantraps in physical access control systems?

A. To detect intruders using heat and pressure sensors.

B. To provide a barrier for vehicles and deliveries.

C. To limit the rate of access to a facility and guard against piggybacking.

D. To monitor and deter unwanted access with surveillance cameras.

82 / 90

Which of the following physical control elements is designed to explicitly limit the rate of access to a facility?

A. Fences and gates

B. CCTV surveillance

C. Turnstile or mantrap

D. Intrusion detection sensors

83 / 90

Which principle is important to consider when defining roles for access management?

A. Availability

B. Confidentiality

C. Least privilege

D. Integrity

84 / 90

Which of the following is a weakness of biometric authentication systems in terms of accessibility?

A. Biometric systems are not culturally acceptable in certain countries.

B. Biometric systems require visible skin and public access to body parts that may be culturally unacceptable

C. Disabled users may have difficulty using biometric systems or even lack the needed body parts.

D. Biometric systems are subject to flaws or biases, such as difficulty distinguishing users of certain ethnicities or skin colors.

85 / 90

What is deprovisioning?

A. The action of enabling or creating access

B. The process of verifying user access to data and systems

C. The opposite action of provisioning, which may include suspending or terminating access credentials

D. The task of identifying which systems and data the user has access to

86 / 90

Which of the following is an example of a Type 2 authentication factor?

A. Username and password

B. Personal identification number (PIN)

C. Trusted smartphone

D. Biometric authentication

87 / 90

Which of the following attacks occurs when a user on the same network performs packet sniffing to steal session cookie information, which allows the attacker to impersonate the authorized user?

A. Session hijacking

B. Session replay

C. Session sidejacking

D. Session fixation

88 / 90

What is the main difference between single-factor authentication and multifactor authentication?

A. Single factor authentication requires multiple pieces of authentication information, while multifactor authentication requires just one authentication factor

B. Single-factor authentication requires just one factor to verify an identity, while multifactor authentication requires the use of more than one authentication factor

C. Single-factor authentication only uses Type 2 authentication factors, while multifactor authentication utilizes all three types of authentication factors

D. Single-factor authentication is only used for physical access control, while multifactor authentication is used for digital access control

89 / 90

What is the fundamental practice of access control?

A. Protecting basic security attributes

B. Defining how access is granted, used, and monitored

C. Monitoring access

D. All of the above

90 / 90

What is the Identity Assurance Level (IAL) that only requires the user to self-assert their identity without requiring a link to a verified real-life identity and is appropriate for systems where accountability does not extend to real-world consequences such as criminal action?

A. IAL2

B. IAL1

C. IAL3

D. IAL4

Your score is

🔒 Hands-On Cybersecurity Course + INTERNSHIP 🔒

Visit our Cyber Course

CISSP Domain 5: Identity and Access Management

Core Focus

Domain 5 is crucial for managing and securing identity and access within organizations, ensuring appropriate resource access.

Key Areas

Identity Management: User registration and digital identity creation
Access Management: Authorizing data and system access
Identity as a Service (IDaaS): Cloud-based identity solutions

Learning Path

1. Study Domain 5 Resources
2. Explore Domain 4: Communication and Network Security
3. Master Domain 6: Security Assessment and Testing

Additional Support

Join our Cyber Course + Internship
Visit (ISC)² Official Website for official information

We’re here to support your CISSP certification journey. Good luck with your preparation!

Back to All CISSP Domains / Home

CISSP Domain 5: Identity and Access Management

Core Focus

Key Areas

Learning Path

Additional Support

Explore our other free practice tests:

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

CISSP Domain 5: Identity and Access Management

Core Focus

Key Areas

Learning Path

Additional Support

Explore our other free practice tests:

Fill up to receive the FREE CISSP deck!

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.