ISC2 CISSP — Certified Information Systems Security Professional · Domain 5 · 13% of exam

Identity and Access Management (IAM)

Drill 17 practice questions focused entirely on Identity and Access Management (IAM) for the ISC2 CISSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer17 questions
Question 1 of 17

A global engineering firm needs an access control model for a new document repository. Access decisions must consider a combination of the user's department, project assignment, the sensitivity label of the document, the time of day, and whether the connection originates from a managed device on the corporate network. Requirements change frequently, and administrators want to express rules using these attributes without creating a new role for every combination. Which access control model BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 17

A financial services firm has employees who frequently transfer between departments. An internal audit reveals that many long-tenured staff retain access permissions from previous roles they no longer need, even though their accounts are active and legitimately used. Which identity lifecycle control most directly addresses this specific finding?

Reviewed for accuracy · Report an issue
Question 3 of 17

During a security audit of a financial services firm, the auditor finds that three database administrators all log into production systems using a single shared 'dbadmin' account whose password is stored in a team password vault. Management insists this is efficient and that the vault logs who checked out the credential. Which principle of identity and access management is most fundamentally violated by this arrangement?

Reviewed for accuracy · Report an issue
Question 4 of 17

A research firm allows the creator of each project document to decide who may read or edit it, and to pass those permissions on to colleagues as they see fit. The security team notices that files are being freely shared between team members based solely on the file creators' judgment, with no central authority validating each grant. Which access control model is in use, and what is its inherent weakness in this scenario?

Reviewed for accuracy · Report an issue
Question 5 of 17

A financial services firm keeps suffering account takeovers despite mandating SMS one-time passcodes as a second factor. Attackers use convincing proxy phishing sites that capture the user's password and relay the OTP in real time. The security architect is asked to select an authentication method that will structurally defeat this real-time relay (adversary-in-the-middle) technique. Which approach best meets the requirement?

Reviewed for accuracy · Report an issue
Question 6 of 17

A financial services firm is launching a fully remote customer onboarding portal. Regulators require strong assurance that each new account holder is a real, verified person before an account is opened, but no in-person branch visit is possible. Which activity in the identity lifecycle must the firm strengthen to meet this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 17

A financial services company discovers that several administrators retain permanent membership in the Domain Admins group, though most perform elevated tasks only a few times per month. An audit flags this standing privilege as a major attack-surface risk. The security architect wants to redesign privileged access so that administrators hold no persistent elevated rights but can obtain them, time-bound and with approval, only when a task requires them. Which approach best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 8 of 17

A development team is building a mobile app that needs to read a user's calendar events from a third-party cloud service on the user's behalf. The team wants the user to grant limited, revocable permission without the app ever handling the user's password for the calendar service. Which protocol is specifically designed to provide this delegated authorization?

Reviewed for accuracy · Report an issue
Question 9 of 17

A retail company is building a new customer-facing mobile app that authenticates users and calls a set of RESTful backend APIs. The identity team wants a federation standard that is JSON/REST-friendly, natively issues tokens suitable for authorizing API calls, and works well with native mobile clients. Which standard should they adopt?

Reviewed for accuracy · Report an issue
Question 10 of 17

During an access review, an auditor discovers that a database administrator who left the company four months ago still has an active account with full privileges. HR processed the termination the same day the employee departed, but the account was never disabled. Which control failure in the identity lifecycle is MOST directly responsible for this finding?

Reviewed for accuracy · Report an issue
Question 11 of 17

A large enterprise is redesigning its identity lifecycle process. Currently, help-desk staff manually create accounts when a manager emails a request, which has led to inconsistent attributes and accounts created before employment start dates. The IAM architect wants to ensure that identity records are trustworthy and that account creation is driven by verified employment events. Which change most directly addresses the root problem?

Reviewed for accuracy · Report an issue
Question 12 of 17

A large hospital uses RBAC to control access to its electronic health record system. Over five years, administrators have created more than 4,000 distinct roles to accommodate combinations of department, shift, location, and patient-assignment rules. Auditors now report that no one can determine which role grants which effective permissions, and provisioning new staff requires manual role selection that frequently over-grants access. Which approach BEST addresses the underlying 'role explosion' problem while preserving fine-grained control?

Reviewed for accuracy · Report an issue
Question 13 of 17

A financial services firm wants to enforce access so that contractors can only reach the internal code repository during business hours (08:00–18:00) on weekdays, from corporate-managed IP ranges, and the same restriction applies uniformly to every contractor regardless of their job title or department. The security architect must select the access control model that natively enforces these globally applied conditions without evaluating individual user identities or their assigned roles. Which model best fits this requirement?

Reviewed for accuracy · Report an issue
Question 14 of 17

A company federates with a SaaS HR application using SAML 2.0. Employees authenticate to the corporate identity provider (IdP) and are then redirected to the HR application without re-entering credentials. During a security review, an architect must confirm which component is responsible for cryptographically vouching for the user's identity to the SaaS application. Which SAML role produces and signs the assertion that the SaaS application relies upon?

Reviewed for accuracy · Report an issue
Question 15 of 17

A company uses a cloud-based HR system as its authoritative source for employee data and subscribes to a dozen SaaS applications through an Identity-as-a-Service (IDaaS) provider. Currently, help desk staff manually create and disable accounts in each SaaS app whenever HR records change, causing delays and occasional missed deprovisioning. The security architect wants a standards-based way for the IDaaS platform to automatically create, update, and disable user accounts in the downstream SaaS applications based on the HR system's data. Which technology best meets this requirement?

Reviewed for accuracy · Report an issue
Question 16 of 17

A large enterprise operates several internal applications that all authenticate against the same corporate Active Directory. Users complain about entering credentials repeatedly. Separately, the company wants employees to access a third-party SaaS payroll provider using their corporate identity without the SaaS vendor ever storing or receiving corporate passwords. Which pairing correctly describes the two distinct capabilities needed?

Reviewed for accuracy · Report an issue
Question 17 of 17

A financial services company is hardening its remote-access authentication. Currently users log in with a password and a one-time code sent to a hardware token. Security wants to add a third element so that authentication requires something the user knows, something the user has, and something the user is. Which additional element correctly satisfies the missing authentication factor category?

Reviewed for accuracy · Report an issue

More CISSP practice

Keep going with the other ISC2 CISSP — Certified Information Systems Security Professional domains, or take a full timed mock exam.

← Back to CISSP overview