Page 1542 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1542
Chapter 13: Managing Identity and
Authentication
1. E. All of the answers are included in the types of assets that an
organization would try to protect with access controls.
2. C. The subject is active and is always the entity that receives
information about, or data from, the object. A subject can be a
user, a program, a process, a file, a computer, a database, and so
on. The object is always the entity that provides or hosts
information or data. The roles of subject and object can switch
while two entities communicate to accomplish a task.
3. A. A preventive access control helps stop an unwanted or
unauthorized activity from occurring. Detective controls discover
the activity after it has occurred, and corrective controls attempt to
reverse any problems caused by the activity. Authoritative isn’t a
valid type of access control.
4. B. Logical/technical access controls are the hardware or software
mechanisms used to manage access to resources and systems and
to provide protection for those resources and systems.
Administrative controls are managerial controls, and physical
controls use physical items to control physical access. A preventive
control attempts to prevent security incidents.
5. A. A primary goal when controlling access to assets is to protect
against losses, including any loss of confidentiality, loss of
availability, or loss of integrity. Subjects authenticate on a system,
but objects do not authenticate. Subjects access objects, but objects
do not access subjects. Identification and authentication is
important as a first step in access control, but much more is
needed to protect assets.
6. D. A user professes an identity with a login ID. The combination of
the login ID and the password provides authentication. Subjects
are authorized access to objects after authentication. Logging and
