Domain 5 CISSP Exam: Identity and Access Management

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 5: Identity and Access Management

1 / 90

Which of the following scenarios carries higher risk and requires faster deprovisioning and more oversight according to the text above?

A. Staff member resigns or retires

B. Staff member being let go at the companys decision

C. A users job changes

D. None of the above

2 / 90

Which of the following is an example of Type 2 authentication?

A. Password

B. Fingerprint scan

C. Smartphone app

D. Security question answer

3 / 90

Which security objective of critical information can be supported through access controls by preventing unauthorized users from making changes to information?

A. Confidentiality

B. Integrity

C. Availability

D. Authenticity

4 / 90

What is the fundamental practice of access control?

A. Protecting basic security attributes

B. Defining how access is granted, used, and monitored

C. Monitoring access

D. All of the above

5 / 90

What are the two popular approaches for implementing SSO?

A. Users log in to various websites using a single set of credentials

B. Users log in to a specific website using different credentials for each application

C. Users log in to a specific website using a single set of credentials or a single work resource like Microsoft 365 or Google Workspace collaboration platforms

D. Users do not need to log in to access any applications if using an SSO-enabled system

6 / 90

Which protocol is generally implemented for controlling access to network infrastructure resources like routers?

A. RADIUS

B. 802.1X

C. TACACS+

D. AAA

7 / 90

What is the purpose of deprovisioning as it relates to account access?

A. To create user accounts

B. To review and approve access requests

C. To remove access when accounts are no longer needed

D. To identify new access needs

8 / 90

What is one of the main challenges of biometric authentication that security practitioners must consider?

A. The potential for biometric scanners to be easily compromised.

B. The fact that biometric systems are not accessible to disabled users.

C. The cultural acceptance of body part exposure required for biometric authentication.

D. The difficulty of updating biometric information if a users physical characteristics change.

9 / 90

What is the updated guidance for managing Type 1 authentication factors in NIST SP 800-63B?

A. Passwords must contain a mix of uppercase, lowercase, special, and numeric characters.

B. Longer passphrases of common words without added complexity requirements are preferred.

C. Passwords should be changed frequently.

D. Complex passwords are the most secure authentication factor.

10 / 90

In Kerberos, what is the function of the Key Distribution Center (KDC)?

A. It authenticates principles by exchanging encrypted data.

B. It provides a ticket to an authenticated principal.

C. It performs registration for new users and maintains the database of secret keys.

D. It grants access to a properly authenticated user.

11 / 90

Which of the following functionalities of an IdM supports oversight of identities and access by providing key details about the authorizations that are granted to an identity?

A. Authorization management

B. Deprovisioning

C. Identity review

D. Provisioning

12 / 90

What is the purpose of preventing toxic role combinations in a properly designed RBAC model?

A. To reduce overhead in creating and managing authorizations for users.

B. To prevent malicious actions by users with administrative privileges.

C. To implement least privilege and preserve data integrity.

D. To align with business or organization objectives.

13 / 90

Which physical access control element provides an opportunity to make an access decision?

A. Fences and gates

B. Intrusion detection sensors

C. Turnstile or mantrap

D. CCTV surveillance

14 / 90

Which is a fundamental requirement for the security practitioner when it comes to information access control in order to protect specific pieces of information with different requirements over time?

A. Make changes to the document.

B. Determine the type or level of protection necessary.

C. Synchronize policies within the organization.

D. Publicize all information regardless of sensitivity.

15 / 90

What is the minimum requirement for identity proofing in IAL1?

A. Verification of real-world identity by trained CSP staff

B. Submission of identity documentation and proofing either in-person or remotely by the CSP

C. Self-assertion of identity by the user

D. Presentation of highly reliable identity evidence like government-issued ID.

16 / 90

Which of the following is an effective way to isolate organization data from other apps on a personal device?

A. Remote lock or wipe

B. Device protection

C. Containerization

D. EDR software

17 / 90

What is the purpose of intrusion detection sensors in a Physical Access Control System?

A. To identify authorized users entering a secured area

B. To track the flow of assets entering and leaving the facility

C. To deter unwanted access to a facility

D. To identify if improper access has been gained

18 / 90

What is the purpose of physical access controls like turnstiles and mantraps?

A. To prevent unauthorized access by requiring that users present separate credentials to enter a secure vestibule space and the main space

B. To detect intruders based on body heat, sounds, or movement

C. To identify and track people, vehicles, and other resources entering or leaving a secured area

D. To deter or prevent unwanted access and generate more intelligent alerts with CCTV surveillance

19 / 90

What is deprovisioning?

A. The action of enabling or creating access

B. The process of verifying user access to data and systems

C. The opposite action of provisioning, which may include suspending or terminating access credentials

D. The task of identifying which systems and data the user has access to

20 / 90

What is the primary reason for performing a usage review of user, system, and nonhuman accounts?

A. To spot unexpected system activity several times a year

B. To identify unwanted account permissions

C. To enforce accountability for system usage

D. To perform reviews when privileges are used

21 / 90

Which of the following is a weakness of biometrics that requires the security practitioner to balance the needs for authentication and acceptance of a biometric solution in relation to cultural requirements?

A. Disabled users may have difficulty using biometric systems or even lack the needed body parts

B. Biometric scanners require visible skin and public access to body parts that may be culturally unacceptable

C. Some users may change their physical characteristics over time, causing false rejections

D. Users do not have an easy way to change biometrics if the authentication system is compromised

22 / 90

Which of the following physical access control methods is designed to explicitly limit the rate of access to a facility?

A. User identification

B. Fences and gates

C. Turnstile or mantrap

D. Locks and keys

23 / 90

What is the purpose of the Key Distribution Center (KDC) in a Kerberos realm?

A. To authenticate principals by exchanging encrypted data.

B. To maintain the database of secret keys and perform registration for new users.

C. To provide a ticket to an authenticated principal, which allows them to make requests for service tickets.

D. To grant access to a properly authenticated user.

24 / 90

In a Kerberos environment, what is the function of the Authentication Server (AS)?

A. It performs registration for new users and maintains the database of secret keys.

B. It provides a ticket to an authenticated principal, which allows them to make requests for service tickets.

C. It exchanges encrypted data to authenticate principles.

D. It allows kerberized applications to grant access to authenticated users.

25 / 90

Which model can be helpful in identifying common need-to-know criteria and granting access that is appropriate but not excessive to applications?

A. Role-based access control (RBAC)

B. Discretionary access control (DAC)

C. Mandatory access control (MAC)

D. Attribute-based access control (ABAC)

26 / 90

What is session management?

A. The practice of tracking user accounts on web applications

B. The practice of initiating, managing, and terminating sessions

C. The practice of securing server-side sessions

D. The practice of authenticating users

27 / 90

What is one of the primary use cases for Just-In-Time (JIT) identity and access management?

A. To create user identities for all employees in an organization

B. To grant a user access to all systems upon joining an organization

C. To provision access based on a users role or job function

D. To automatically change a users credentials every 30 days

28 / 90

What is session hijacking?

A. When an attacker intercepts a session token and later uses it to impersonate an authorized user

B. When a user on the same network performs packet sniffing to steal session cookie information

C. When an attacker impersonates one of the authentic communicating parties

D. When web applications reuse session IDs

29 / 90

What is the purpose of turnstiles and mantraps in physical access control systems?

A. To detect intruders using heat and pressure sensors.

B. To provide a barrier for vehicles and deliveries.

C. To limit the rate of access to a facility and guard against piggybacking.

D. To monitor and deter unwanted access with surveillance cameras.

30 / 90

What is the updated guidance for managing Type 1 authentication factors according to NIST SP 800-63B?

A. Use complex passwords with a mix of uppercase, lowercase, special, and numeric characters

B. Require frequent password changes to increase security

C. Use longer passphrases of common words without added complexity requirements

D. Implement passwords for system accounts where a program or script has the password stored

31 / 90

What is the main difference between single-factor authentication and multifactor authentication?

A. Single factor authentication requires multiple pieces of authentication information, while multifactor authentication requires just one authentication factor

B. Single-factor authentication requires just one factor to verify an identity, while multifactor authentication requires the use of more than one authentication factor

C. Single-factor authentication only uses Type 2 authentication factors, while multifactor authentication utilizes all three types of authentication factors

D. Single-factor authentication is only used for physical access control, while multifactor authentication is used for digital access control

32 / 90

Which of the following best describes the mandatory access control (MAC) model?

A. MAC model employs a dynamic and non-hierarchical approach to access control.

B. MAC model is often associated with data owners or others who enforce access control in a discretionary manner.

C. MAC model applies security labels to subjects and objects to systematically enforce access control.

D. MAC model allows users with a security label of Secret to access files labeled Top Secret.

33 / 90

What is an emphasis of the updated guidance for managing Type 1 authentication factors?

A. Requirements for complex passwords with changing numbers

B. Use of short and easy to remember passwords

C. Increase in length of passphrases over complexity

D. Frequent password changes

34 / 90

What is a primary concern for device Identity and Access Management (IAM)?

A. Ensuring devices are always updated with the latest software

B. Ensuring access is restricted to only authorized users

C. Allowing devices to connect to any network without restriction

D. Making sure devices are always accessible to all users

35 / 90

Which model is based on a list of predefined rules to determine authorization?

A. Rule-based access control

B. Role-based access control

C. Attribute-based access control

D. Mandatory access control

36 / 90

Which model can be helpful for identifying common need-to-know criteria in granting appropriate but not excessive access to applications?

A. Rule-based access control (RBAC)

B. Attribute-based access control (ABAC)

C. Discretionary access control (DAC)

D. Mandatory access control (MAC)

37 / 90

According to the updated guidance in NIST SP 800-63B, what is preferred for Type 1 authentication factors, and why?

A. Complex passwords with multiple character types, to prevent attackers from guessing them

B. Passphrases that are longer but easier to remember, to prevent unintended user lockouts

C. Numeric PINs, as they are more secure than passwords or passphrases

D. Security questions, as they provide an additional layer of security

38 / 90

Which principle is important to consider when defining roles for access management?

A. Availability

B. Confidentiality

C. Least privilege

D. Integrity

39 / 90

Which of the following is a weakness of biometric authentication systems in terms of accessibility?

A. Biometric systems are not culturally acceptable in certain countries.

B. Biometric systems require visible skin and public access to body parts that may be culturally unacceptable

C. Disabled users may have difficulty using biometric systems or even lack the needed body parts.

D. Biometric systems are subject to flaws or biases, such as difficulty distinguishing users of certain ethnicities or skin colors.

40 / 90

Which of the following is an example of a Type 2 authentication factor?

A. Username and password

B. Personal identification number (PIN)

C. Trusted smartphone

D. Biometric authentication

41 / 90

Which of the following is a function supported by an Identity management (IdM) system throughout the access management lifecycle?

A. Employee training and development

B. System monitoring

C. Authorization management

D. Incident response

42 / 90

Which of the following is an example of access in the context of access control?

A. Subject entering a facility

B. Object sharing its information with other objects

C. Subject being granted read and write access to a file

D. Object requiring protection of basic security attributes

43 / 90

What is Open Authorization (OAuth)?

A. An open protocol for secure authentication from web, mobile, and desktop applications.

B. An open protocol for secure authentication in a simple and standard method from web, mobile, and desktop applications.

C. An open protocol for secure authorization in a simple and standard method from web, mobile, and desktop applications.

D. An open protocol for secure authorization in a simple and standard method from web and mobile applications.

44 / 90

Which one of the following is NOT one of the four foundational elements of Identity and Access Management (IAM)?

A. Identification

B. Authentication

C. Authorization

D. Accountability

45 / 90

What is the crossover error rate (CER) in access control systems?

A. The rate at which a system denies access to a subject that is properly authorized.

B. The rate at which a system grants access to a subject that is not authorized.

C. The rate at which Type 1 and Type 2 errors are equal.

D. The rate at which access controls incur costs to implement.

46 / 90

Which of the following attacks occurs when a user on the same network performs packet sniffing to steal session cookie information, which allows the attacker to impersonate the authorized user?

A. Session hijacking

B. Session replay

C. Session sidejacking

D. Session fixation

47 / 90

What is one advantage of using a cloud-based IDaaS solution for IAM in organizations with a cloud-first or cloud-native approach?

A. They provide better security controls for on-premise infrastructure.

B. They reduce administrative overhead associated with user provisioning for SaaS tools.

C. They require less hardware and software to manage legacy applications or services.

D. They offer more flexibility to manage federated access controls for external partners.

48 / 90

Which type of authentication system provides access to a set of files or one computer only?

A. LDAP or IDaaS

B. Remote access authentication system

C. Federated identity authentication system

D. Local authentication functions

49 / 90

What is one of the primary risks associated with using a third-party IDaaS provider for access control?

A. Increased demand for collaboration among different teams, business units, and organizations

B. Custom methods for extending the IAM scheme to external entities

C. Potential loss of control and compromised identity and access management information in the event of a data breach

D. Reduced risk due to more robust uptime capabilities

50 / 90

What is a common practice for countering risks to devices and the data they contain?

A. Device restriction

B. Containerization

C. Physical access control

D. Remote lock or wipe

51 / 90

What is a primary concern in device IAM?

A. Ensuring physical access controls are in place for portable devices

B. Ensuring access is restricted to only authorized users

C. Ensuring all devices are equipped with EDR software

D. Ensuring all devices have strong passwords

52 / 90

Which of the following elements of Physical Access Control Systems (PACSs) allows for making an access decision by granting or denying access to authorized and unauthorized users?

A. Fences and gates

B. Turnstile or mantrap

C. Locks and keys

D. Secured doors

53 / 90

What is vertical privilege escalation?

A. An attack that grants access to systems or resources the user is not authorized for

B. An attack seeking to gain increased privileges on a system

C. An attack method that exploits improperly configured IAM tools or features like roles

D. A nonhuman account designed to perform specific functions

54 / 90

Which of the following is an implementation of confidentiality control in system-level Identity and Access Management (IAM)?

A. Authentication in IAM

B. Physical access controls at the facility level

C. Full disk encryption (FDE)

D. Logging of system actions and identifying information

55 / 90

Which component of a Kerberos environment is responsible for performing registration for new users and maintaining the database of secret keys?

A. Principals

B. Authentication Server (AS)

C. Key Distribution Center (KDC)

D. Ticket Granting Server (TGS)

56 / 90

Which of the following physical control elements is designed to explicitly limit the rate of access to a facility?

A. Fences and gates

B. CCTV surveillance

C. Turnstile or mantrap

D. Intrusion detection sensors

57 / 90

Which of the following processes is not supported by an Identity Management (IdM) system?

A. Provisioning

B. Deprovisioning

C. Identity review

D. Configuration management

58 / 90

In SAML, what is the role of the identity provider (IdP)?

A. Make a request to a service provider (SP)

B. Authenticate and authorize the user

C. Provide resources to the user

D. Receive requests from the user agent

59 / 90

What makes risk-based access control models different from other models?

A. They assume that risks do not change over time

B. They require manual updates to access controls

C. They provide dynamic access control using a variety of parameters

D. They cannot respond to dynamic changes in real time

60 / 90

What is an important consideration for device IAM?

A. All devices must be connected to the same network to ensure proper IAM.

B. An access control system should be configured to grant access to any device that attempts to sign in.

C. Proper endpoint security should be implemented to ensure access controls are applied with respect to the security of devices.

D. Any device that contains sensitive data should be quarantined and not allowed access to the organizations network.

61 / 90

What is a common method for identifying people entering or leaving a secured area?

A. Infrared sensors

B. QR codes

C. Sonic sensors

D. Pressure sensors

62 / 90

Which of the following statements best describes attribute-based access control (ABAC)?

A. ABAC is an access control model that uses license keys to grant access to users.

B. ABAC evaluates attributes about the subject and objects against a policy to make an access control decision.

C. ABAC is a binary access control model that allows or denies access based on a predefined list of roles.

D. ABAC is an authentication mechanism that requires users to provide multiple factors to access a system.

63 / 90

What is the difference between centralized and decentralized IAM administration?

A. Centralized IAM administration uses a dedicated access control function while decentralized IAM administration assigns access control decisions to system or information owners.

B. Centralized IAM administration assigns access control decisions to system or information owners while decentralized IAM administration uses a dedicated access control function.

C. Centralized IAM administration is more flexible than decentralized IAM administration.

D. Decentralized IAM administration offers very strict oversight and monitoring.

64 / 90

Which of the following is a weakness of biometric authentication that requires security practitioners to balance user and cultural requirements when designing authentication schemes?

A. Difficulty for disabled users to use biometric systems

B. Inability of users to easily change biometric data if the system is compromised

C. Changes in biometric data over time

D. Cultural acceptance of visible skin or public access to body parts

65 / 90

What security objective does nonrepudiation support in IAM systems?

A. Confidentiality

B. Integrity

C. Authenticity

D. Availability

66 / 90

What does IAL3 require for identity proofing?

A. Submission of identity documentation and proofing remotely

B. Self-assertion of identity

C. Physical presence, presentation of highly reliable identity evidence, and formal review by trained CSP staff

D. Submission of identity documentation and proofing in person by the CSP

67 / 90

What is the Identity Assurance Level (IAL) that only requires the user to self-assert their identity without requiring a link to a verified real-life identity and is appropriate for systems where accountability does not extend to real-world consequences such as criminal action?

A. IAL2

B. IAL1

C. IAL3

D. IAL4

68 / 90

What is the difference between deprovisioning under hostile/involuntary circumstances and friendly/voluntary circumstances?

A. Access deprovisioning occurs more slowly in hostile/involuntary circumstances

B. Access deprovisioning requires less oversight in friendly/voluntary circumstances

C. Access deprovisioning procedures require faster action and more oversight in hostile/involuntary circumstances

D. Access deprovisioning procedures are the same in both hostile/involuntary and friendly/voluntary circumstances

69 / 90

Which access control model can be helpful in identifying common need-to-know criteria for granting access to applications appropriately?

A. ABAC

B. RBAC

C. MAC

D. DAC

70 / 90

Which of the following access control models provides specific permissions based on job functions?

A. Rule-based access control

B. Discretionary access control

C. Role-based access control

D. Attribute-based access control

71 / 90

What is the purpose of intrusion detection sensors in Physical Access Control Systems (PACSs)?

A. To prevent unauthorized access

B. To track and control the flow of assets

C. To respond to emergency situations

D. To identify if improper access has been gained

72 / 90

Which model can be helpful in identifying common need-to-know criteria and granting appropriate access, but not excessive, to applications?

A. Discretionary Access Control (DAC)

B. Mandatory Access Control (MAC)

C. Role-based Access Control (RBAC)

D. Attribute-based Access Control (ABAC)

73 / 90

What is the role of the Ticket Granting Server (TGS) in a Kerberos environment?

A. It authenticates users and services.

B. It performs the function of user registration and secret key management.

C. It provides service tickets to authenticated users.

D. It encrypts data exchanged between the user and the Kerberos server.

74 / 90

Which of the following is an example of a logical access control?

A. Door lock

B. Fence

C. Password

D. Security camera

75 / 90

What is the most common way of enforcing accountability in a system?

A. Strong authentication

B. Separation of duties

C. Logging and monitoring actions

D. Performing audits or reviews

76 / 90

What is the purpose of device identification in Physical Access Control Systems (PACSs)?

A. To identify and track human beings entering or leaving a secured area

B. To identify and track vehicles entering or leaving a secured area

C. To identify and track nonhuman users throughout the facility or at ingress and egress points

D. To detect if improper access has been gained

77 / 90

Which of the following is a weakness of biometrics that must be considered by security practitioners?

A. Biometric systems may be expensive to implement.

B. Biometric systems cannot detect fake credentials.

C. Biometric system may not be culturally acceptable.

D. Biometric systems do not require proper sanitization.

78 / 90

Which of the following functionalities of an IdM system supports oversight of identities and access by providing key details about the authorizations that are granted to an identity?

A. Provisioning

B. Deprovisioning

C. Authorization management

D. Identity review

79 / 90

What does IAM consist of?

A. Processes and tools designed to grant access to all users

B. Processes and tools designed to restrict access to only unauthorized users

C. Processes and tools designed to restrict access to only properly authorized users

D. Processes and tools designed to guarantee absolute integrity

80 / 90

What is the highest level of assurance for identity proofing according to NIST SP 800-63-3?

A. IAL1

B. IAL2

C. IAL3

D. It is not specified in the text.

81 / 90

What are objects within the context of access control models?

A. Assets that do not require access control

B. Human users who require access to files or facilities

C. Non-human entities like systems, processes, and devices

D. Security attributes like confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA)

82 / 90

Which of the following is a key functionality of Identity Management (IdM)?

A. Managing network infrastructure.

B. Managing cloud-based applications.

C. Facilitating password sharing.

D. Providing oversight of identities and access.

83 / 90

What is the advantage of using a hybrid approach for Identity and Access Management?

A. Elimination of on-premise maintenance completely

B. Advanced and more secure management of credentials

C. Reduction of management overhead due to SSO

D. Limited risk exposure of internal resources

84 / 90

Which of the following tasks is supported by an Identity Management (IdM) system in the access management lifecycle?

A. Secure socket interface management

B. Firewall configuration management

C. Authorization management

D. Data backup management

85 / 90

What is a primary advantage of federating identity management across organizations in a FIM scheme?

A. Increased security controls across organizations

B. Reduced security risks across organizations

C. Simplified administrative overhead of account management

D. Increased user access to multiple systems

86 / 90

Which of the following is true regarding physical security measures for information system security within facilities?

A. Logical security controls are always sufficient to prevent unwanted data access regardless of the physical security measures.

B. Physical security measures are not important when discussing information system security.

C. Secure perimeter paradigm is a commonly used physical security measure for securing facilities.

D. Physical security measures for facilities are not necessary since they do not contain any critical information.

87 / 90

Which security control can be used to enforce security policy restrictions such as the use of a complex passcode or encryption on a user device?

A. MAC

B. DAC

C. MFA

D. RBAC

88 / 90

Which of the following is NOT a process that a credential management system (CMS) should support?

A. Enrollment

B. Credential production

C. Authentication

D. Credential lifecycle management

89 / 90

What is a potential downside of decentralized IAM administration?

A. Lack of accountability

B. Inconsistent enforcement

C. Limited flexibility

D. Single point of failure

90 / 90

In a discretionary access control (DAC) model, who makes access decisions?

A. A centralized IT department

B. A designated security officer

C. The system or data owner

D. The end user

Your score is

🔒 Hands-On Cybersecurity Course + INTERNSHIP 🔒

Visit our Cyber Course

CISSP Domain 5: Identity and Access Management

Core Focus

Domain 5 is crucial for managing and securing identity and access within organizations, ensuring appropriate resource access.

Key Areas

Identity Management: User registration and digital identity creation
Access Management: Authorizing data and system access
Identity as a Service (IDaaS): Cloud-based identity solutions

Learning Path

1. Study Domain 5 Resources
2. Explore Domain 4: Communication and Network Security
3. Master Domain 6: Security Assessment and Testing

Additional Support

Join our Cyber Course + Internship
Visit (ISC)² Official Website for official information

We’re here to support your CISSP certification journey. Good luck with your preparation!

Back to All CISSP Domains / Home

Domain 5 CISSP Exam: Identity and Access Management

CISSP Domain 5: Identity and Access Management

Core Focus

Key Areas

Learning Path

Additional Support

Explore our other free practice tests:

Related Posts

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

JOIN OUR

NEWSLETTER

Domain 5 CISSP Exam: Identity and Access Management

CISSP Domain 5: Identity and Access Management

Core Focus

Key Areas

Learning Path

Additional Support

Explore our other free practice tests:

Related Posts

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

JOIN OUR

NEWSLETTER

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.