Chapter 5: Identity and Access Management (Domain 5) 367
- C. In a mandatory access control system, classifications do not have to include rights
to lower levels. This means that the only label we can be sure Jim has rights to is Secret.
Despite that it is unclassified, Unclassified data remains a different label, and Jim may not
be authorized to access it. - B. Time-based controls are an example of context-dependent controls. A constrained
interface would limit what Susan was able to do in an application or system interface,
while content-dependent control would limit her access to content based on her role or
rights. Least privilege is used to ensure that subjects only receive the rights they need to
perform their role. - The security controls match with the categories as follows:
- Password: B. Something you know.
- ID card: A. Something you have.
- Retinal scan: C. Something you are.
- Smartphone token: A. Something you have.
- Fingerprint analysis: C. Something you are.
- B. Policy is a subset of the administrative layer of access controls. Administrative,
technical, and physical access controls all play an important role in security. - C. Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm
that generates a constantly changing series of codes. Asynchronous tokens typically
require a challenge to be entered on the token to allow it to calculate a response, which
the server compares to the response it expects. Smartcards typically present a certificate
but may have other token capabilities built in. Static tokens are physical devices that can
contain credentials and include smart cards and memory cards. - A. Asynchronous tokens use a challenge/response process in which the system sends a
challenge and the user responds with a PIN and a calculated response to the challenge.
The server performs the same calculations, and if both match, it authenticates the user.
Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired
with readers and don’t need to have challenges entered, and RFID devices are not used for
challenge/response tokens. - C. The crossover error rate is the point where false acceptance rate and false rejection rate
cross over and is a standard assessment used to compare the accuracy of biometric devices. - A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection
rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in
organizations where a false acceptance can cause a major problem, it is likely that they
should instead choose a point to the right of point A.
8 7. B. CER is a standard used to assess biometric devices. If the CER for this device does not
fit the needs of the organization, Ben should assess other biometric systems to find one
with a lower CER. Sensitivity is already accounted for in CER charts, and moving the
CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as
an option either.