Chapter 4: Identity and Access Management - Section B

Question 1

Access Control Software Introduction: What is the purpose of access control softwares?

Answer 1

Its purpose is to prevent unauthorized access and medication to organization data and the use of system critical functions

Question 2

Access Control Software Introduction: To achieve the goal, it is necessary to apply access controls across critical layers of the IS architecture (T or F)

Answer 2

False. All layers must have access controls

Question 3

Access Control Software Introduction: What layers has the greatest degree of protection

Answer 3

The Network and Platform/OS layers

Question 4

Access Control Software Introduction: What do you call the Network and Platform layers and why?

Answer 4

General Support Systems. They make up the infrastructure which the database and application layers reside

Question 5

Access Control Software Introduction: OS ACS is typically restricted to ____ ____ and interfaces with ___ ____ ____ ___ and resides in ___ ____ ____ that manage and control external access to organization’s networks

Answer 5

Privileged Users; network access control software; network layer devices

Question 6

Access Control Software Introduction: OS Access control software interfaces with database and or application access controls to protect system libraries and user data sets

Answer 6

True.

Question 7

What are the access control functions of general operating and/or application systems?

Answer 7

1. Create or change user profiles.
2. Assign user identification and authentication.
3. Apply user logon limitation rules.
4. Ensure users’ access is commensurate with their job responsibilities.
5. Ensure notification concerning proper use and access prior to initial login.
6. Create individual accountability and auditability by logging user activities.
7. Establish rules for access to specific information resources (e.g., system-level
   application resources and data).
8. Log events.
9. Report capabilities

Question 8

What are the access control functions of database and or application-level systems?

Answer 8

1. Create or change data files and database profiles
2. Verify user authorization at the application and transaction level
3. Verify user authorization within the application
4. Verify user authorization at the field level for changes within a database
5. Verify subsystem authorization for the user at the file level
6. Log database/data communications access activities for monitoring access
   violations

Question 9

General operation and application system access control: How do they create individua accountability and auditability?

Answer 9

By logging user activities

Question 10

General operation and application system access control: Ensure notification concerning proper use and access after the initial login (T or F)

Answer 10

False. Prior to initial login

Question 11

Database and/or application-level access control functions: Verifies user authorization at what levels?

Answer 11

Application and transaction level

Question 12

Database and/or application-level access control functions : Verifies authorization changes within the database ata what level?

Answer 12

Field level

Question 13

Database and/or application-level access control functions : Verifies subsystem authorization for the user at the ___ level

Answer 13

file

Question 14

Access Control Software Summary: What are the upper and lower layers?

Answer 14

Upper: Database and Application Layers
Lower: Network and Platform/OS Layers

Question 15

Access Control Software Summary: The lower layers are dependent on the Upper layers (T or F)

Answer 15

False. The opposite is true, the upper layers depend on the lower layers to protect the general system resources

Question 16

Access Control Software Summary: Upper layers provide _____ at the application level in segregating duties by function

Answer 16

granularity

Question 17

What is a critical building block of compute security because it is needed in all access control?

Answer 17

Identification and Authentication

Question 18

Identification and Authentication: How does it establish user accountability?

Answer 18

Links activities on a computer system to specific individuals.

Question 19

Identification and Authentication: Common Vulnerabilities include

Answer 19

1. Weak authentication
2. Simple passwords
3. Potential to bypass authentication
4. Lack of Confidentiality and integrity for the store authentication Information
5. Lack of encryption on authentication and protection of information transferred over a network
6. User’s lack of knowledge on the risk in sharing authentication elements

Question 20

Identification and Authentication: I&A differ in respect to:

Answer 20

1. Meaning
2. Method, Peripherals, and Techniques
3. Attributes
4. Requirement in terms of secrecy and management (

Question 21

Identification and Authentication: I&A differ in attributes how?

Answer 21

Authentication does not have innately any attributes related to it while Identity has

Question 22

Identification and Authentication: I&A differs in change how?

Answer 22

Identities don’t normally change, on the other hand, authentication keys are regularly changed to ensure reliability

Question 23

Key Concepts of Identity Access Management: Name All the Key Concepts:

Answer 23

1. Identify creation and access request
2. Transfer Request
3. Access Termination Request
4. Password Communication
5. Password Management
6. Policy Administration
7. Validation
8. Reinstatement
9. Authorization Subprocess
10. SoD
11. Log Management
12. Privileged Access
13. Dormant/ Orphan User Accounts

Question 24

Key Concepts of IAM: What are the identified gaps in Identify creation and access request?

Answer 24

1. Authorized approval not in place
2. Privileged Access without analyzing the need
3. Group Share Access

Question 25

Key Concepts of IAM: What are the identified gaps in transfer request?

Answer 25

Authorized approval not in place

Question 26

Key Concepts of IAM: What are the identified gaps in Access Termination Request?

Answer 26

User ID not revoked immediately after termination

Question 27

Key Concepts of IAM: What are the identified gaps in Password Communication

Answer 27

Unsecured means to communicate password

Question 28

Key Concepts of IAM: What are the identified gaps in Password Management

Answer 28

1. Password parameters not followed 2. Password Complexity not met 3. Nonexistent password policies and standards 4. Use of Shared Passwords

Question 29

Key Concepts of IAM: What are the identified gaps in Policy Administration?

Answer 29

1. Lack of documented processes, policies and procedures 2. Lack of timely process review

Question 30

Key Concepts of IAM: What are the identified gaps in Validation?

Answer 30

1.Validation process not in place or adhered to 2. Timely action not taken for accounts that are e not validated in the process

Question 31

Key Concepts of IAM: What are the identified gaps in Reinstatement

Answer 31

1. Reinstatement without valid authorization

Question 32

Key Concepts of IAM: What are the identified gaps in Authorization subprocess

Answer 32

1. Access given without authorization

Question 33

Key Concepts of IAM: What are the identified gaps in SoD

Answer 33

1. Lack of SoD

Question 34

Key Concepts of IAM: What are the identified gaps in Log Management

Answer 34

1. Lack of Logging, auditing and reviewing of events

Question 35

Key Concepts of IAM: What are the identified gaps in Privileged Access

Answer 35

1. Access provided to users without validating the needs of access 2. Periodic revalidation process not in place 3. No validated accounts are not terminated

Question 36

Key Concepts of IAM: What are the identified gaps in Dormant use accounts

Answer 36

1. Owners and custodians not identified for user accounts

Question 37

In Key Concepts of IAM - Identify creation and access request: Who should authorize the access?

Answer 37

The user's manager, resource owner or the security officer

Question 38

In Key Concepts of IAM - Identify creation and access request: privileged access can be granted only after what?

Answer 38

two levels of approval

Question 39

In Key Concepts of IAM - Identify creation and access request: privileged access can be granted after two levels of approval from?

Answer 39

1. Reporting Manager 2. Reporting Manger's Manager/ Application or Database or Server Owner

Question 40

In Key Concepts of IAM - Identify creation and access request: Group shared access must utilize what principle?

Answer 40

Least privilege

Question 41

In Key Concepts of IAM - Identify creation and access request: Group shared access must 1. ____________ on which the account can exist 2. Ensure and _______ the list of users who would be sharing the account 3. _________ should maintain and publish ____________ who have access to the account 4. Validate the ____________ for shared accounts 5. Passwords should be changed on a regular basis. The frequency should be defined in the ____________ 6. If it is found that someone obtains unauthorized access, the password must be __________

Answer 41

1. Limit the servers 2. Preapprove 3. Account Owners; the list of users 4. logging activities 5. process document 6. changed immediately

Question 42

In Key Concepts of IAM - Access termination request: The recommendation for the gap is to terminate access in minimum and maximum days of?

Answer 42

Minimum: 1 Maximum: 5

Question 43

In Key Concepts of IAM - Password Communication: To solve insecure means to communicate, 1. Passwords can be communicated via ______ in _______ 2. Passwords must be stored in ______

Answer 43

1. User email; encrypted format 2. seal envelope

Question 44

In Key Concepts of IAM - Password Management: To solve the gaps one shall 1. The password should be a ____ of ___ characters in length 2. Password should contain a mix of ____ and ____ letters, _____ and ______ 3. Passwords should not be: - - - - 4. An encrypted ____ ___ should be maintained and should at minimum retain the last ___ passwords for each user ID 5. Password changes should be enforced -- ___ days for privileged access and __ days for regular access 6. At minimum ___ consecutive unsuccessful attempts should lead to ____ suspension of the account until it is reset by the ____ _____ 7. A time out feature or screensaver should be enabled after __ minutes of inactivity 8. Passwords must always be _____ when held in storage for any significant period of time or when transmitted over networks 9. Each ___ __ should be uniquely identifiable preferable to the _____ 10. The last ___ __ __ __should be displayed for the user at the ___ ___ __ 11. At first login, a ___ ___ ___ should be enforced 12. The password must be changed promptly when ___ is suspected

Answer 44

1. Mimium; 8 2. Lowercase; Uppercase; Numbers; Punctuations 3. Words found in the dictionary; Personal Information; Related to the User ID, Common character sequences 4. History File; 13 5. 30;90 6. 5; system administrator 7. 15 minutes 8. encrypted 9. User ID; Username 10. login date and time; time of login 11. mandatory password change 12. disclosure

Question 45

In Key Concepts of IAM - Policy Administration: Document review should be done every when?

Answer 45

Preferably yearly

Question 46

In Key Concepts of IAM - Validation: each user account should be reevaluated at a ___ ___ - preferably ___ months for normal users and ___ months for privileged user accounts

Answer 46

fixed-frequency; 6; 3

Question 47

In Key Concepts of IAM - Reinstatement: Lack of approvals/incorrect authorization requests should not be reinstated (T or F)

Answer 47

False. Should be

Question 48

In Key Concepts of IAM - Authorization subprocess: Requests should be checked for valid granted approvals. Lack of approvals/ incorrect authorization requests should be______ at the ___ ____ stage

Answer 48

blocked; access request

Question 49

In Key Concepts of IAM - __________ requests passing through the 1AM process should be validated for ___ ___ checking. Requests that fail the SoD check should be blocked at the ___ ___ ___

Answer 49

All requests; SoD Policy; access request stage

Question 50

In Key Concepts of IAM - Privilege Access: ______ ____ must be in place revalidation of privilege accounts must be conducted on a ____ basis At a minimum, non validated should be terminated/ locked in ___ working day or max __ days

Answer 50

documented processes; quarterly;1;5

Question 51

In Key Concepts of IAM - Dormant accounts: All accounts without an owner or custodian need to be identified and highlighted so that they can be what?

Answer 51

Assigned or removed