Access Controls Concepts
Drill 20 practice questions focused entirely on Access Controls Concepts for the ISC2 CC exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
An employee logs into the corporate VPN by entering a password and then typing a six-digit code displayed on a physical key fob issued by the company. The security team wants to classify each element used during this login. How should the physical key fob be categorized?
A data center entrance requires each employee to swipe an access badge and then enter a personal PIN on a keypad before the door unlocks. From an authentication perspective, what does this configuration provide?
At a small marketing firm, employees store project files on a shared server. When Maria creates a document, she alone decides which coworkers can read or edit it, and she can grant or revoke that access at any time through the file's permission settings. Which access control model does this arrangement best illustrate?
At a design firm, each project lead can decide who may open, edit, or share the files they create in a shared collaboration platform. There are no organization-wide classification labels; access is entirely at the file creator's discretion. Which access control model is in use?
A junior database administrator is assigned to run weekly backup jobs on the company's customer database. When IT provisions the account, they grant it full administrative rights to the entire database server, including the ability to modify schemas, delete tables, and manage other user accounts. Which security principle has been violated?
A visitor arrives at a corporate lobby and the security guard checks the visitor's government-issued ID against a pre-approved appointment list before allowing entry. Which combination of access control characteristics best describes what the guard is providing at this checkpoint?
A government agency stores documents that carry classification labels such as 'Confidential', 'Secret', and 'Top Secret'. Each user is assigned a clearance level, and the operating system itself enforces the rule that a user may only open a document if their clearance is equal to or higher than the document's label. Individual document owners cannot override this rule to share files with lower-cleared colleagues. Which access control model is being used?
An analyst at a defense contractor is granted read access to a document labeled 'Secret' because her clearance and need-to-know match. She wants to email the file to a colleague who has only a 'Confidential' clearance. The system blocks her attempt and prevents her from changing the file's label. Which access control model is enforcing this restriction?
A defense contractor operates a system where the operating system itself enforces access based on security labels assigned to both users and files. A user with a 'Secret' clearance cannot open a file labeled 'Top Secret', and even the file's creator cannot change these label-based restrictions. Which access control model is in use?
A data center wants to stop unauthorized people from slipping through a secured door behind an authorized employee (tailgating). Which physical access control is specifically designed to allow only one person through at a time by using two interlocking doors?
A data center installs a two-door enclosure at its main entrance. The outer door must close and lock before the inner door will unlock, and a floor weight sensor confirms only one person is inside before granting entry. Which physical access control objective does this design primarily achieve?
A warehouse installs infrared motion sensors in a storage area that should be empty after business hours. One night the sensors trigger an alert to the monitoring station, and security staff respond to investigate. Within the physical access control model, what is the primary function this sensor is performing?
A bank requires tellers to log in by entering a password and then scanning their fingerprint at the workstation. The security team wants to confirm this qualifies as true multi-factor authentication. Which statement best supports that conclusion?
A new analyst named Priya is hired into the finance department. Before she logs in for the first time, an administrator configures the system so that Priya's account will be permitted to open and edit the quarterly-budget spreadsheet. In the access control model terminology, what role does Priya's user account play in this arrangement?
A hospital hires a new billing clerk. Rather than manually assigning individual file and application permissions, the IT administrator adds the new employee's account to the 'Billing Clerk' group, which automatically grants the standard set of permissions every billing clerk needs. Which access control model is being used?
Maria transfers from the finance department to the marketing department. Under the company's role-based access control (RBAC) system, IT assigns her the Marketing role but forgets to remove her Finance role. Two months later an audit finds she can still access sensitive accounting systems she no longer needs. Which access control principle was most directly violated by leaving her old role in place?
A growing company frequently hires, transfers, and promotes staff. The security team is overwhelmed because they must manually adjust individual user permissions each time someone changes positions, and errors keep occurring. Management wants an access control approach where permissions are tied to job functions so that assigning a person to a position automatically grants the correct access. Which access control model best meets this requirement?
A growing company has struggled with inconsistent file permissions because individual data owners keep granting access to coworkers at their own discretion, creating a tangle of ad-hoc rights. Leadership wants access decisions based strictly on employees' job functions and managed centrally so that when someone changes positions their access changes automatically. Which access control model best meets this requirement?
A hospital wants nurses to access only the patient records relevant to their job function, and access should update automatically whenever a nurse is assigned to a different unit. Administrators do not want individual data owners deciding who gets access, and there are no security classification labels on the records. Which access control model best fits these requirements?
An employee is terminated during a morning meeting. Before the employee leaves the building, the security manager wants to ensure they can no longer use their proximity badge to enter secured areas. What is the MOST effective action to accomplish this?
More CC practice
Keep going with the other ISC2 CC — Certified in Cybersecurity domains, or take a full timed mock exam.
← Back to CC overview