CISSP Topic

Identity and Access Management Practice Questions

Master Identity and Access Management for the CISSP exam with comprehensive practice questions, detailed explanations, and proven study strategies.

Start Practicing FreeView All CISSP Topics

1,200+

Practice Questions

89%

Pass Rate

65K+

Students Passed

13%

of Exam

What You'll Learn

Identity and Access Management (IAM) is a critical domain within the CISSP exam, covering the policies, processes, and technologies used to manage user identities and control access to organizational resources. This domain focuses on ensuring the right individuals have the appropriate level of access to the right resources, while also preventing unauthorized access. Mastering IAM concepts is crucial for CISSP candidates, as it demonstrates their ability to design, implement, and maintain secure access control systems that protect an organization's sensitive data and critical assets.

Key Concepts

Authentication

The process of verifying the identity of a user, device, or system to ensure they are who they claim to be. This typically involves the use of credentials such as passwords, biometrics, or multi-factor authentication.

Authorization

The process of granting or denying permissions and access rights to users, applications, or systems based on their authenticated identity and the defined access policies.

Access Control Models

The frameworks and mechanisms used to define and enforce access control policies, such as Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-Based Access Control (RBAC).

Identity Lifecycle Management

The processes and tools used to create, maintain, and eventually terminate user identities within an organization, including provisioning, de-provisioning, and managing user accounts, privileges, and access rights.

Single Sign-On (SSO)

A session and user authentication service that allows a user to access multiple applications and resources with a single set of credentials, improving user convenience and reducing the risk of password-related vulnerabilities.

Principle of Least Privilege

The security principle that states users, processes, or systems should only be granted the minimum level of access privileges necessary to perform their intended functions, minimizing the potential for misuse or abuse of elevated permissions.

Separation of Duties

The practice of dividing tasks and responsibilities among multiple individuals or roles to prevent a single person from having too much control or power, which can lead to fraud, errors, or misuse of privileges.

Common Mistakes to Avoid

  • Confusing authentication and authorization, and not understanding the differences between the two concepts.
  • Failing to consider the principle of least privilege when granting access rights and permissions.
  • Overlooking the importance of proper identity lifecycle management, including timely provisioning and de-provisioning of user accounts.
  • Neglecting to implement strong multi-factor authentication mechanisms, especially for high-risk or sensitive resources.
  • Not understanding the various access control models and how they can be applied to different organizational scenarios.

Sample Identity and Access Management Questions

Question 1

Acme Corp. has hired Jane, and access rights are determined by the organization's structure and roles. Which access control model is MOST likely in use?

A.

Role-based access control (rbac)

(Correct)
B.

Multifactor authentication (MFA)

C.

Attribute-based access control (abac)

D.

Two-factor authentication (2FA)

Explanation:

Correct answer: Role-based access control (rbac)A system that employs role-based access control (rbac) maps a subject's role with their needed operations and tasks. Users are assigned to roles and not resources. The mention of job functions and hierarchy implies that the user’s role is the key eleme...

Question 2

Which of the following choices provides the MOST accurate description of an attack specifically aimed at the top-tier leadership within an organization?

A.

Whaling

(Correct)
B.

Vishing

C.

Phishing

D.

Spear phishing

Explanation:

Correct answer: WhalingWhaling constitutes a form of phishing that exclusively targets the senior executive team of an organization. Vishing is incorrect because it is a type of phishing conducted through phone calls. Phishing is incorrect as it is a more generalized attack vector. Spear phishing is...

Question 3

After an employee changes roles, their prior system access isn't removed or reassessed. Which option provides the MOST fitting description of this scenario?

A.

Privilege creep

(Correct)
B.

A non-material security breach

C.

East-west traversal

D.

M of N control

Explanation:

Correct answer: Privilege creepPrivilege creep occurs when a user maintains unnecessary permissions after a job change. This contravenes the principle of least privilege by allowing access to systems and data beyond the user's current role requirements. This situation isn't necessarily a security br...

Access All Identity and Access Management Questions

Study Tips for Identity and Access Management

Thoroughly understand the differences between authentication, authorization, and access control, and how they work together to secure access to resources.

Familiarize yourself with the common access control models, such as MAC, DAC, and RBAC, and their strengths and weaknesses.

Practice applying the principle of least privilege and separation of duties when designing access control policies and permissions.

Review case studies and real-world examples of identity and access management challenges and best practices.

Ensure you have a solid understanding of identity lifecycle management, including provisioning, de-provisioning, and managing user accounts and privileges.

Ready to Start?

Get instant access to all Identity and Access Management practice questions with detailed explanations.

Start Free Trial

No credit card required

Related CISSP Topics

Security and Risk ManagementAsset SecuritySecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSecurity OperationsSoftware Development SecurityCryptography
View All Topics

CISSP Question Types

Multiple ChoiceAdvanced Innovative Questions

CISSP FAQs

What is the CISSP passing score?How many questions are on the CISSP exam?What are the CISSP experience requirements?How much does the CISSP exam cost?Is the CISSP exam hard?

Frequently Asked Questions

How many Identity and Access Management questions are on the CISSP?

Identity and Access Management makes up approximately 13% of the CISSP exam. Upsero includes hundreds of practice questions covering all aspects of this topic.

How do I study for Identity and Access Management?

Start with understanding the key concepts, then practice with realistic exam questions. Upsero's ReadyScore tracks your mastery of Identity and Access Management so you know when you're ready for the real exam.

Are the practice questions similar to the real CISSP?

Yes! Our Identity and Access Management questions are designed to match the exact format, difficulty, and style of the actual CISSP exam. Many students say our questions are even harder than the real exam.

Master Identity and Access Management Today

Join thousands of students who passed the CISSP with Upsero

Start Free Trial