Free ISC2 Certified in Cybersecurity CC Practice Questions: IAM Concepts

Topic snapshot

Sample questions

These are original IT Mastery practice questions aligned to this topic area. They are not official ISC2 questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.

Question 1

Topic: Identity and Access Management Concepts

A small company already uses multifactor authentication for employee sign-ins. Auditors now ask for evidence that application access is approved by data owners, reviewed quarterly, and removed when employees change roles. Which action is the best fit for this need?

Options:

• A. Implement identity governance workflows for access reviews and approvals

• B. Block sign-ins after three failed attempts

• C. Require longer passwords for all applications

• D. Add a second authentication factor to every login

Best answer: A

Explanation: Identity governance focuses on managing and proving who should have access, who approved it, and whether access remains appropriate over time. In this scenario, sign-in protection already exists through multifactor authentication. The audit need is governance evidence: owner approval, periodic review, and access removal after role changes. Those are supported by identity governance processes or tools such as access requests, approvals, access certification, and deprovisioning workflows.

Authentication controls verify that a user is who they claim to be at login. They do not, by themselves, prove that the user’s access was approved, reviewed, or still appropriate.

• Password strength improves authentication but does not provide access-owner approval or quarterly review evidence.
• More MFA strengthens login verification, but the scenario already has MFA and needs governance support.
• Failed-login lockout helps resist guessing attacks, but it does not manage access approvals or lifecycle changes.

Question 2

Topic: Identity and Access Management Concepts

During a quarterly access review, an IAM report shows that a contractor’s account was deprovisioned last week. However, the application owner confirms the contractor can still sign in to a finance reporting system. The organization requires access records to match actual system access. What is the best action?

Options:

• A. Update the IAM record to show the access is still active

• B. Wait until the next quarterly review to recheck the account

• C. Disable the actual system access and investigate the provisioning gap

• D. Ask the contractor whether the access is still needed

Best answer: C

Explanation: When IAM records and actual system access do not match, the safest response is to correct the access state in the target system and investigate why the IAM process or tool did not enforce deprovisioning. The record says the contractor should no longer have access, but the system still allows sign-in, so there is an active unauthorized access condition. Updating documentation alone would make the record match the wrong state. Asking the contractor does not replace approval by an access owner or manager. The key takeaway is that IAM reviews must validate actual access, not just stored records.

• Record-only fix fails because it preserves access that should have been removed.
• Delayed review leaves an unauthorized account active after the mismatch is known.
• User confirmation is not sufficient authorization for continued finance system access.

Question 3

Topic: Identity and Access Management Concepts

A small finance team discovers that one administrator can both create new vendor accounts and approve payments to those vendors. The company requires least privilege and wants to reduce fraud risk without stopping normal payment processing. What is the BEST action?

Options:

• A. Separate vendor creation and payment approval duties

• B. Require the administrator to use a stronger password

• C. Increase log retention for payment activity

• D. Allow the access but review it annually

Best answer: A

Explanation: Separation of Duties (SoD) prevents one person from controlling all steps of a sensitive process. In this case, the same privileged user can create a vendor and approve payment to that vendor, which creates a conflict of interest and a fraud opportunity. The best response is to split those responsibilities between different users or roles, while keeping each user’s access limited to what their job requires. Logging and reviews can support oversight, but they do not remove the conflicting capability.

• Stronger password improves authentication but does not address the conflict between creating vendors and approving payments.
• More logging may help detect suspicious activity later, but it does not prevent the same user from completing both sensitive actions.
• Annual review is too weak for an active SoD conflict because the risky access remains in place.

Question 4

Topic: Identity and Access Management Concepts

A help desk technician was granted temporary administrator access to a file server to complete an approved maintenance task. The task is finished, and the technician no longer needs elevated permissions. Which control best supports least privilege in this situation?

Options:

• A. Enable additional logging for administrator actions

• B. Remove the temporary administrator access

• C. Require a stronger password for the technician

• D. Move the file server to a separate VLAN

Best answer: B

Explanation: Least privilege means users should have only the permissions needed for their current duties, and temporary access should be removed when the business need ends. In this scenario, the technician needed administrator access only for a specific maintenance task. Once that task is complete, keeping elevated access creates unnecessary risk because the account could be misused or compromised with higher privileges. The best control is to reduce or remove the temporary access, often as part of an access review, deprovisioning workflow, or time-bound approval process.

Stronger authentication and monitoring can reduce risk, but they do not correct the excessive permission itself.

• Password strength helps protect the account but does not remove unnecessary administrator privileges.
• Additional logging improves visibility but still leaves excessive access in place.
• Network segmentation can limit server exposure, but it does not address the technician’s unneeded permissions.

Question 5

Topic: Identity and Access Management Concepts

A department manager notices that several employees who changed roles still have access to the old team’s shared financial folder. The company requires managers to periodically confirm that user access matches current job duties. What is the best action to meet this requirement?

Options:

• A. Disable the shared folder for all users

• B. Reset the affected users’ passwords

• C. Create a new onboarding checklist

• D. Perform an access recertification review

Best answer: D

Explanation: Periodic access review, also called access recertification, is used to confirm that users still need the permissions assigned to them. In this scenario, role changes created a risk that employees retained access from previous duties. Having the manager or access owner review current access against job responsibilities helps detect excessive, outdated, or inappropriate permissions and triggers removal when access is no longer justified.

Password resets address credential control, not whether authorization is still appropriate. Disabling the folder is too broad and disrupts legitimate access.

• Password reset does not validate whether the users should still have access to the financial folder.
• Disable the folder removes access for legitimate users and does not perform a targeted review.
• Onboarding checklist may help future provisioning, but it does not detect existing outdated permissions.

Question 6

Topic: Identity and Access Management Concepts

A small company is redesigning access to its payroll application. Employees already sign in with MFA. The security goal is to grant permissions based on job responsibilities, such as payroll clerk, HR manager, and auditor, and to make access reviews easier. What is the BEST fit?

Options:

• A. Use single sign-on

• B. Add a second authentication factor

• C. Use role-based access control

• D. Require a longer password

Best answer: C

Explanation: Access control model choice determines what an authenticated user is allowed to do. In this scenario, users already authenticate with MFA, so the remaining decision is authorization: how to assign payroll permissions. Role-based access control (RBAC) is designed for permissions tied to job roles, making provisioning and periodic access reviews simpler. Authentication methods such as stronger passwords, MFA, or single sign-on help verify identity, but they do not define which payroll records or functions a user may access after signing in.

The key distinction is authentication proves who the user is; an access control model governs what the user can do.

• Password strength improves authentication but does not organize payroll permissions by job responsibility.
• More MFA is redundant with the stem and still does not define authorization rules.
• Single sign-on simplifies login across systems but does not assign application permissions by role.

Question 7

Topic: Identity and Access Management Concepts

A small company provisions application access for new employees based only on each manager’s email request. Recent reviews found that people in the same job function have different permissions, and some have more access than they need. Which control best addresses this risk before new accounts are created?

Options:

• A. Define approved access roles for each job function

• B. Review access permissions once per year

• C. Require multifactor authentication for all users

• D. Enable detailed logging for application activity

Best answer: A

Explanation: Roles should be defined before access is provisioned because they establish what permissions are appropriate for each job function. This supports least privilege, consistency, and clear ownership of access decisions. Without defined roles, provisioning becomes ad hoc, and users with similar responsibilities may receive different or excessive permissions. MFA, logging, and periodic reviews are useful security controls, but they do not create the access baseline needed at account creation. The key takeaway is that role definition guides correct provisioning before permissions are granted.

• MFA control improves authentication strength, but it does not determine which permissions a user should receive.
• Annual review may find excessive access later, but it does not prevent inconsistent provisioning at account creation.
• Activity logging supports monitoring and investigation, but it does not establish job-based permission sets.

Question 8

Topic: Identity and Access Management Concepts

A contractor who supported the finance department ended work on Friday, but their network and cloud file-sharing accounts remained active until the following Wednesday. During that time, the accounts could still open payroll files and modify shared reports. Which control best reduces this risk?

Options:

• A. Collect the contractor’s building badge on the last day

• B. Automate account disabling from the termination workflow

• C. Require annual security awareness training for contractors

• D. Perform a quarterly review of all finance folder permissions

Best answer: B

Explanation: Delayed deprovisioning creates risk because an identity that no longer has a business need can still access systems and data. In this scenario, the former contractor’s active accounts could expose payroll data, affecting confidentiality, and allow report changes, affecting integrity. The best control is prompt access removal, ideally automated from the HR or contract-end workflow so account disabling happens at the time access is no longer authorized. Reviews and training help support IAM governance, but they do not immediately remove the stale access that creates the risk.

• Awareness training may improve behavior, but it does not remove an active account after the contractor leaves.
• Badge collection addresses physical access, not remaining network and cloud file access.
• Quarterly permission review may find stale access later, but it is too slow for a known termination event.

Question 9

Topic: Identity and Access Management Concepts

During a quarterly access recertification, a manager is asked to confirm a user’s access to a sensitive payroll application. The manager says they cannot justify the access, and policy requires a documented business need for sensitive access. What is the BEST action?

Options:

• A. Create a permanent exception for the access

• B. Remove the access and require a new approved request if needed

• C. Keep the access until the next quarterly review

• D. Ask the user to confirm whether they still need access

Best answer: B

Explanation: Access recertification verifies that users still need the permissions they have. When the responsible manager or access owner cannot justify sensitive access, the safest response is to remove or disable that access according to policy. This supports least privilege and reduces the risk of unauthorized use of sensitive data. If the user later has a valid business need, access can be requested again through the normal approval process. The key is not to rely on assumption or convenience for sensitive permissions.

• Keeping access until the next review leaves known unjustified sensitive access in place.
• Asking the user may provide context, but the access still needs owner approval and documented business need.
• A permanent exception bypasses the recertification purpose and weakens least privilege.

Question 10

Topic: Identity and Access Management Concepts

A company requires multi-factor authentication for all users. During an access review, a help desk technician is found to have authenticated successfully and then downloaded payroll reports, even though the technician’s job duties do not require payroll access. Which control best addresses the issue?

Options:

• A. Require a longer password for the technician

• B. Install a camera near the technician’s workstation

• C. Remove the payroll permission from the technician’s role

• D. Add a second MFA method for payroll access

Best answer: C

Explanation: Authentication proves the user is who they claim to be; authorization determines what that authenticated user is allowed to access. In this scenario, MFA worked, but the technician still had access to payroll reports outside their job duties. The best control is to correct the user’s authorization scope by removing unneeded permissions or adjusting role-based access. Stronger authentication would reduce the chance of account misuse, but it would not fix excessive access granted to a legitimate user. The key takeaway is to match permissions to job need after identity is verified.

• Stronger password addresses authentication strength, not the technician’s unnecessary payroll authorization.
• More MFA may protect sign-in, but it still allows an authenticated technician to access payroll if permissions remain unchanged.
• Physical monitoring does not correct logical access rights to sensitive reports.

Continue in the web app

Use IT Mastery for interactive ISC2 Certified in Cybersecurity CC practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.

Try ISC2 Certified in Cybersecurity CC on Web

Related focused pages

• Free ISC2 Certified in Cybersecurity CC Full-Length Practice Exam
• Security Principles
• Security Governance
• Network and Cloud Security
• Security Operations