Identity and Access Management (IAM) for CISSP

Sample Practice Questions

1. Question 1

   An organization would like to implement an authorization mechanism that would simplify the assignment of various system access permissions for many users with similar job responsibilities. Which type of authorization mechanism would be the BEST choice for the organization to implement?
   1. A. Role-based access control (RBAC)
   2. B. Discretionary access control (DAC)
   3. C. Content-dependent Access Control
   4. D. Rule-based Access Control
   Explanation

   The correct answer is: A. Role-based access control (RBAC).

   Role-based access control is the right model when many users share similar job responsibilities because permissions are attached to roles and users are mapped to those roles, so onboarding, transfer, and offboarding involve role assignment changes rather than touching individual ACLs. This dramatically simplifies administration and enforces consistency across people doing the same job. Discretionary access control assigns permissions at the discretion of the data owner per user or per group, which scales poorly and produces inconsistent grants across users in the same job. Content-dependent access control bases decisions on the content of the data (such as classification of a particular record) and addresses fine-grained data filtering rather than uniform role provisioning. Rule-based access control applies policy rules such as time-of-day or location restrictions globally and does not group users by job function. Only RBAC directly solves the "many users, same job" administration problem.

2. Question 2

   Clothing retailer employees are provisioned with user accounts that provide access to resources at partner businesses. All partner businesses use common identity and access management (IAM) protocols and differing technologies. Under the Extended Identity principle, what is the process flow between partner businesses to allow this IAM action?
   1. A. Clothing retailer acts as User Self Service, confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.
   2. B. Clothing retailer acts as identity provider (IdP), confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.
   3. C. Clothing retailer acts as Service Provider, confirms identity of user using industry standards, then sends credentials to partner businesses that act as an identity provider (IdP) and allows access to resources.
   4. D. Clothing retailer acts as Access Control Provider, confirms access of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to resources.
   Explanation

   The correct answer is: B. Clothing retailer acts as identity provider (IdP), confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services..

   Under the Extended Identity principle the home organization acts as the identity provider, authenticates its own users against its own credential store using standard federation protocols (SAML, OIDC), and issues an assertion that partner businesses, acting as service providers (relying parties), consume to grant access to their resources. This IdP-to-SP flow is the foundation of federated SSO across organizations. The option labeling the retailer as a Service Provider inverts the roles: the SP receives assertions, it does not issue them. The User Self Service variant describes a portal where users register or update their own attributes and is not a federation role. The Access Control Provider variant invents a role that is not part of the SAML or OIDC role model. Only the IdP-to-SP direction correctly describes how the retailer's authenticated employees consume partner services.

3. Question 3

   Within a large organization, what business unit is BEST positioned to initiate provisioning and deprovisioning of user accounts?
   1. A. Training department
   2. B. Internal audit
   3. C. Human resources
   4. D. Information technology (IT)
   Explanation

   The correct answer is: C. Human resources.

   Human Resources is best positioned to initiate provisioning and deprovisioning because HR is the authoritative source for employment events (hire, transfer, promotion, termination) that drive identity lifecycle changes. Only HR knows in real time when an employee's status changes, so it must originate the trigger that IT then executes. Information technology is wrong because IT operationalizes account creation and removal but should not decide unilaterally whether someone is still employed or has changed roles, since acting without HR input invites stale or unauthorized accounts. Internal audit is wrong because audit is an independent assurance function and originating provisioning would compromise its independence. The training department is wrong because it has no authoritative view of employment status or role assignment, only of completed coursework. Anchoring the identity lifecycle to HR is a core CISSP control to keep provisioning and deprovisioning timely and accurate.

4. Question 4

   A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company has decided to utilize Identity as a Service (IDaaS). Which of the following factors leads the company to choose an IDaaS as their solution?
   1. A. In-house team lacks resources to support an on-premise solution.
   2. B. Third-party solutions are inherently more secure.
   3. C. Third-party solutions are known for transferring the risk to the vendor.
   4. D. In-house development provides more control.
   Explanation

   The correct answer is: A. In-house team lacks resources to support an on-premise solution..

   The driver behind adopting Identity as a Service is typically that the in-house team lacks the resources, specialized expertise, and ongoing operational capacity to build and run a robust on-premises identity stack; IDaaS shifts that operational burden to a provider with dedicated identity engineering and 24/7 operations. Third-party solutions are not inherently more secure; security depends on the provider's controls and the customer's configuration. Transferring risk to the vendor is a common misconception: contractual SLAs and shared responsibility models may reallocate some operational risk, but residual risk and accountability for protecting customer data remain with the organization, so risk transfer is rarely the legitimate driver. In-house development provides more control but at the cost of resources and expertise; choosing IDaaS is an explicit acknowledgment that control is being traded for capability and lower operational overhead. Resource constraints are the real reason.

5. Question 5

   In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access reviews?
   1. A. Implement bi-annual reviews.
   2. B. Create policies for system access.
   3. C. Implement and review risk-based alerts.
   4. D. Increase logging levels.
   Explanation

   The correct answer is: C. Implement and review risk-based alerts..

   Implementing and reviewing risk-based alerts is the right complement to quarterly access reviews because a quarterly cadence leaves up to ninety days during which a malicious or erroneous privileged-account creation can sit undetected, as the scenario demonstrates. Risk-based alerting on privileged account creation, sensitive-group changes, and out-of-pattern administrative activity collapses detection time from months to minutes. Implementing bi-annual reviews moves in the wrong direction by lengthening the gap between reviews rather than shortening it. Creating policies for system access is necessary as a baseline but policy alone produces no real-time detection signal. Increasing logging levels generates more raw data without ensuring anyone notices the relevant events; logging without alerting is forensic, not preventive. Risk-based alerts deliver the continuous monitoring needed to close the window between scheduled reviews.

Other CISSP domains

• Asset Security (46 questions)
• Communication and Network Security (58 questions)
• Security and Risk Management (75 questions)
• Security Architecture and Engineering (71 questions)
• Security Assessment and Testing (54 questions)
• Security Operations (68 questions)
• Software Development Security (57 questions)