WGU C845 INFORMATION
SYSTEMS SECURITY
(SSCP) QUESTIONS AND
ANSWERS WITH
RATIONALES/GRADED A+/2026
UPDATE/100% CORRECT
/INSTANT DOWNLOAD
Domain 1: Access Controls (15 Questions)
1. A security analyst needs to implement a system that ensures users can only
access specific files based on their current project role and clearance level.
Which access control model enforces this rigid structure based on subject and
object labels?
A. Discretionary Access Control (DAC)
B. Role-Based Access Control (RBAC)
C. Mandatory Access Control (MAC)
D. Attribute-Based Access Control (ABAC)
Rationale: MAC uses labels (e.g., Confidential, Secret) assigned to subjects and
objects. The system checks these labels to grant access, overriding user discretion.
This is standard in military and government systems.
2. A web application allows users to log in using their Google or Facebook
credentials. This is an example of which identity management concept?
A. Single Sign-On (SSO)
B. Federation
C. Lightweight Directory Access Protocol (LDAP)
D. Provisioning
,Rationale: Federation relies on trust relationships between separate organizations or
systems. It allows a user from one domain (e.g., Google) to access resources in
another domain without a separate password.
3. A company wants to implement "something you are" for multifactor
authentication. Due to hygiene concerns, they avoid fingerprint scanners.
Which biometric method would be best suited for high-volume employee time
tracking?
A. Retina Scan
B. Hand Geometry
C. DNA Matching
D. Iris Recognition
Rationale: Hand geometry readers are often used for time clocks or physical access
control because they are durable, fast, user-friendly, and less intrusive than retinal
scans.
4. A biometric system is generating too many complaints from authorized users
who are being denied access. What metric is too high?
A. False Acceptance Rate (FAR)
B. False Rejection Rate (FRR)
C. Crossover Error Rate (CER)
D. Equal Error Rate (EER)
Rationale: FRR (Type I error) occurs when a valid user is incorrectly rejected. This is
frustrating for users and impacts usability. FAR (Type II error) is a security risk (letting
an impostor in).
5. You are configuring access to a cloud storage bucket. The policy states:
"Allow read access if the request occurs between 9 AM and 5 PM AND the
device is managed by the company." What type of access control is this?
A. Mandatory Access Control (MAC)
B. Discretionary Access Control (DAC)
C. Attribute-Based Access Control (ABAC)
D. Non-Discretionary Access Control
Rationale: ABAC uses policies that evaluate multiple attributes (subject attributes
like role/clearance, object attributes like classification, and environment attributes
like time/location) to make access decisions.
6. Which best describes the primary difference between Identification and
Authentication?
A. Identification proves你是谁, Authentication requests access.
B. Identification is a claim of identity; Authentication is the verification of that
, claim.
C. Authentication is the username; Identification is the password.
D. Identification is used for accountability; Authentication is used for authorization.
Rationale: Identification is simply a user making a claim (e.g., "I am User123").
Authentication is the process of proving that claim (e.g., providing a password).
7. What is the primary security benefit of implementing "Impossible Travel
Time" detection rules in a SIEM?
A. It prevents SQL injection attacks.
B. It detects potential credential theft or account takeover.
C. It enforces password complexity requirements.
D. It mitigates DDoS attacks.
Rationale: Impossible travel detects when a user logs in from New York and then
logs in from London 30 minutes later—a physical impossibility. This indicates an
attacker is likely using stolen credentials elsewhere.
8. An organization uses smart cards and a PIN to access secure facilities. The
smart card is considered:
A. Something you know
B. Something you are
C. Something you have
D. Something you do
Rationale: The three factors are: Knowledge (password/PIN), Possession (smart
card/token), and Inherence (biometrics). The card is something you physically
possess.
9. A system where the owner of a file can grant "Read" access to another user
without administrator intervention is operating under:
A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Rule-Based Access Control (RBAC)
Rationale: DAC gives the creator or owner of an object the discretion to decide who
else can access it, often using an Access Control List (ACL).
10. In a "Lattice-Based" access control model, how are permissions structured?
A. A central administrator explicitly grants every permission.
B. Subjects and objects are arranged in a hierarchical lattice of security
clearances.
SYSTEMS SECURITY
(SSCP) QUESTIONS AND
ANSWERS WITH
RATIONALES/GRADED A+/2026
UPDATE/100% CORRECT
/INSTANT DOWNLOAD
Domain 1: Access Controls (15 Questions)
1. A security analyst needs to implement a system that ensures users can only
access specific files based on their current project role and clearance level.
Which access control model enforces this rigid structure based on subject and
object labels?
A. Discretionary Access Control (DAC)
B. Role-Based Access Control (RBAC)
C. Mandatory Access Control (MAC)
D. Attribute-Based Access Control (ABAC)
Rationale: MAC uses labels (e.g., Confidential, Secret) assigned to subjects and
objects. The system checks these labels to grant access, overriding user discretion.
This is standard in military and government systems.
2. A web application allows users to log in using their Google or Facebook
credentials. This is an example of which identity management concept?
A. Single Sign-On (SSO)
B. Federation
C. Lightweight Directory Access Protocol (LDAP)
D. Provisioning
,Rationale: Federation relies on trust relationships between separate organizations or
systems. It allows a user from one domain (e.g., Google) to access resources in
another domain without a separate password.
3. A company wants to implement "something you are" for multifactor
authentication. Due to hygiene concerns, they avoid fingerprint scanners.
Which biometric method would be best suited for high-volume employee time
tracking?
A. Retina Scan
B. Hand Geometry
C. DNA Matching
D. Iris Recognition
Rationale: Hand geometry readers are often used for time clocks or physical access
control because they are durable, fast, user-friendly, and less intrusive than retinal
scans.
4. A biometric system is generating too many complaints from authorized users
who are being denied access. What metric is too high?
A. False Acceptance Rate (FAR)
B. False Rejection Rate (FRR)
C. Crossover Error Rate (CER)
D. Equal Error Rate (EER)
Rationale: FRR (Type I error) occurs when a valid user is incorrectly rejected. This is
frustrating for users and impacts usability. FAR (Type II error) is a security risk (letting
an impostor in).
5. You are configuring access to a cloud storage bucket. The policy states:
"Allow read access if the request occurs between 9 AM and 5 PM AND the
device is managed by the company." What type of access control is this?
A. Mandatory Access Control (MAC)
B. Discretionary Access Control (DAC)
C. Attribute-Based Access Control (ABAC)
D. Non-Discretionary Access Control
Rationale: ABAC uses policies that evaluate multiple attributes (subject attributes
like role/clearance, object attributes like classification, and environment attributes
like time/location) to make access decisions.
6. Which best describes the primary difference between Identification and
Authentication?
A. Identification proves你是谁, Authentication requests access.
B. Identification is a claim of identity; Authentication is the verification of that
, claim.
C. Authentication is the username; Identification is the password.
D. Identification is used for accountability; Authentication is used for authorization.
Rationale: Identification is simply a user making a claim (e.g., "I am User123").
Authentication is the process of proving that claim (e.g., providing a password).
7. What is the primary security benefit of implementing "Impossible Travel
Time" detection rules in a SIEM?
A. It prevents SQL injection attacks.
B. It detects potential credential theft or account takeover.
C. It enforces password complexity requirements.
D. It mitigates DDoS attacks.
Rationale: Impossible travel detects when a user logs in from New York and then
logs in from London 30 minutes later—a physical impossibility. This indicates an
attacker is likely using stolen credentials elsewhere.
8. An organization uses smart cards and a PIN to access secure facilities. The
smart card is considered:
A. Something you know
B. Something you are
C. Something you have
D. Something you do
Rationale: The three factors are: Knowledge (password/PIN), Possession (smart
card/token), and Inherence (biometrics). The card is something you physically
possess.
9. A system where the owner of a file can grant "Read" access to another user
without administrator intervention is operating under:
A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Rule-Based Access Control (RBAC)
Rationale: DAC gives the creator or owner of an object the discretion to decide who
else can access it, often using an Access Control List (ACL).
10. In a "Lattice-Based" access control model, how are permissions structured?
A. A central administrator explicitly grants every permission.
B. Subjects and objects are arranged in a hierarchical lattice of security
clearances.
