INFORMATION ASSURANCE
SECURITY
INFORMATION ASSURANCE SECURITY EXAM 2
QUESTIONS WITH DETAILED VERIFIED ANSWERS;
ALREADY GRADED A; 2025
, Document Title
Page 2
Access Control - ANS--The process of protecting a resource so that it is used only by
those allowed to prevents unauthorized use
-Mitigations put into place to protect a resource from a threat
the four parts of access control - ANS-Identification: who is asking to access the asset?
authentication: Can the requestor's identity be verified?
authorization: What exactly can the requestor access? what can they do?
accountability: how can actions be traced to an individual? We need to ensure that a
person who accesses or makes changes to data or systems can be identified. This
process of associating actions for later reporting and research
The policy definition phase - ANS-this phase determines who has access and what
systems or resources they can use. The authorization definition process operates in
this phase
the policy enforcement phase - ANS-This phase grants or rejects requests for access
based on the authorizations defined in the first phase. The identification,
authentication, authorization execution, and accountability processes operate in this
phase
Identification - ANS--The process of ascribing a computer ID to a specific user,
computer, or network device.
-Usually takes the form of a unique logon ID or user id.
-Links the logon ID or user ID to previously assigned credentials.
-User IDs should not be shared or descriptive of job function.
-User identification enables authentication and authorization - the basis for
accountability.
-Accountability traces activities to individual users or computer processes.
-establishes responsibility for actions.
Establishing proper privileges - ANS-3 steps used (AAA):
-Authentication: matches user-supplied credentials to stored credentials-usually done
with an account name and a password
-Authorization: Grants specific permissions based on the privileges held by the account
-Accounting: keep detailed security logs to maintain an audit trail of tasks being
performed
access control types - ANS-Physical access control:
-controls entry into protected areas
-smart cards
-programmed with ID number
-Used at parking lots, elevators, office doors
, Document Title
Page 3
-shared office buildings may require an additional after hours card
-cards control access to physical resources
Logical access control:
-controls access to a computer system or network
-deciding which users can get into a system
-monitoring what each user does on that system
-restraining or influencing a user's behavior on that system
The security kernel - ANS-Central part of a computer or communications system
hardware, firmware, and software that implements the basic security procedures for
controlling access to system resources
-enforces access control for computer systems
-central point of access control
-implements the reference monitor concept
ex.) 1. the subject requests access to an object. The security kernel intercepts the
request
2. The security kernel refers to its rules base, also known as the security kernel
database. It uses these rules to determine access rights. Access rights are set
according to the policies your organization has defined
3. the kernel allows or denies access based on the defined access rules. All access
requests handled by the system are logged for later tracking and analysis
access control policy - ANS-a set of rules that allows a specific group of users to
perform a particular set of actions on a particular set of resources
-use access control policies to reduce and control security risks. Both automated
processes and humans use access control policies
four central components of access control - ANS--users: People who use the system or
processes that perform some service for other people or processes. A more general
term for users is subjects
-resources: Protected objects in the system. Resources can be accessed only by
authorized subjects. Resources can be used only in authorized ways
-actions: Activities that authorized users can perform on resources. In role-based
policies for controller commands, the action is Execute and the resource is the
command being executed
-relationships: Optional conditions that exist between users and resources. For
example, all resources have a relationship of owner, which is fulfilled by the owner of
the resource
authorization policies - ANS-first step to controlling access is to create a policy that
defines authorization rules. Authorization is the process of deciding who has access to
which computer and network resources.
-most detailed authorization policy is based on individual users. in this type of policy,
each user has specific assigned privileges. These user assigned privileges admin to
, Document Title
Page 4
define approved resource access at a very detailed level. User-based authentication is
hard to maintain.
-in group membership policy, authorization is defined by what group users are in.
Assigning group based privileges reduces admin workload.
-in an authority-level policy, you need higher degree of authority to access certain
resources.
Methods and guidelines for identification - ANS-first step in enforcing an authorization
policy is identification.
Methods:
-username: most common method to identify a user to a system
-smart card: often takes the form of a plastic credit card
-biometrics: ex include fingerprints
Guidelines:
-each user must have unique identifier (to ensure that all actions carried out in a
computer system can be associated with a specific user)- makes it possible to
differentiate between two users with the same name
-accounting: the process of associating an action with users for later reporting or
analysis
Five types of authentication - ANS-Knowledge: Something you know
-A password, passphrase, or personal identification number (PIN).
Ownership: Something you have
-A smart card, key, badge, or token.
Characteristics: Something unique to you
-Fingerprints, retina, or signature. Since the characteristics involved are often physical,
this type of authentication is sometimes defined as something you are.
Location: Somewhere you are
-Your physical location when you attempt to access a resource.
Action: Something you do/how you do it
-The way you type on a keyboard.
two-factor or multifactor authentication - ANS-combination of username and password
is considered single-factor authentication. May or may not be adequate for access to
more sensitive systems, applications, data. In this case, might be required to provide
two-factor authentication, in which you would swipe a card (something you have), to
enter building, and type a PIN (something you know) to ensure security
authentication by knowledge - ANS-based on something you know, like a password,
phrase, or PIN. oldest and most common method of authentication for computer
system (also weakest). Two-step authentication should be the minimum requirement
for valuable resources. As value of resource increases, so should strength of access
SECURITY
INFORMATION ASSURANCE SECURITY EXAM 2
QUESTIONS WITH DETAILED VERIFIED ANSWERS;
ALREADY GRADED A; 2025
, Document Title
Page 2
Access Control - ANS--The process of protecting a resource so that it is used only by
those allowed to prevents unauthorized use
-Mitigations put into place to protect a resource from a threat
the four parts of access control - ANS-Identification: who is asking to access the asset?
authentication: Can the requestor's identity be verified?
authorization: What exactly can the requestor access? what can they do?
accountability: how can actions be traced to an individual? We need to ensure that a
person who accesses or makes changes to data or systems can be identified. This
process of associating actions for later reporting and research
The policy definition phase - ANS-this phase determines who has access and what
systems or resources they can use. The authorization definition process operates in
this phase
the policy enforcement phase - ANS-This phase grants or rejects requests for access
based on the authorizations defined in the first phase. The identification,
authentication, authorization execution, and accountability processes operate in this
phase
Identification - ANS--The process of ascribing a computer ID to a specific user,
computer, or network device.
-Usually takes the form of a unique logon ID or user id.
-Links the logon ID or user ID to previously assigned credentials.
-User IDs should not be shared or descriptive of job function.
-User identification enables authentication and authorization - the basis for
accountability.
-Accountability traces activities to individual users or computer processes.
-establishes responsibility for actions.
Establishing proper privileges - ANS-3 steps used (AAA):
-Authentication: matches user-supplied credentials to stored credentials-usually done
with an account name and a password
-Authorization: Grants specific permissions based on the privileges held by the account
-Accounting: keep detailed security logs to maintain an audit trail of tasks being
performed
access control types - ANS-Physical access control:
-controls entry into protected areas
-smart cards
-programmed with ID number
-Used at parking lots, elevators, office doors
, Document Title
Page 3
-shared office buildings may require an additional after hours card
-cards control access to physical resources
Logical access control:
-controls access to a computer system or network
-deciding which users can get into a system
-monitoring what each user does on that system
-restraining or influencing a user's behavior on that system
The security kernel - ANS-Central part of a computer or communications system
hardware, firmware, and software that implements the basic security procedures for
controlling access to system resources
-enforces access control for computer systems
-central point of access control
-implements the reference monitor concept
ex.) 1. the subject requests access to an object. The security kernel intercepts the
request
2. The security kernel refers to its rules base, also known as the security kernel
database. It uses these rules to determine access rights. Access rights are set
according to the policies your organization has defined
3. the kernel allows or denies access based on the defined access rules. All access
requests handled by the system are logged for later tracking and analysis
access control policy - ANS-a set of rules that allows a specific group of users to
perform a particular set of actions on a particular set of resources
-use access control policies to reduce and control security risks. Both automated
processes and humans use access control policies
four central components of access control - ANS--users: People who use the system or
processes that perform some service for other people or processes. A more general
term for users is subjects
-resources: Protected objects in the system. Resources can be accessed only by
authorized subjects. Resources can be used only in authorized ways
-actions: Activities that authorized users can perform on resources. In role-based
policies for controller commands, the action is Execute and the resource is the
command being executed
-relationships: Optional conditions that exist between users and resources. For
example, all resources have a relationship of owner, which is fulfilled by the owner of
the resource
authorization policies - ANS-first step to controlling access is to create a policy that
defines authorization rules. Authorization is the process of deciding who has access to
which computer and network resources.
-most detailed authorization policy is based on individual users. in this type of policy,
each user has specific assigned privileges. These user assigned privileges admin to
, Document Title
Page 4
define approved resource access at a very detailed level. User-based authentication is
hard to maintain.
-in group membership policy, authorization is defined by what group users are in.
Assigning group based privileges reduces admin workload.
-in an authority-level policy, you need higher degree of authority to access certain
resources.
Methods and guidelines for identification - ANS-first step in enforcing an authorization
policy is identification.
Methods:
-username: most common method to identify a user to a system
-smart card: often takes the form of a plastic credit card
-biometrics: ex include fingerprints
Guidelines:
-each user must have unique identifier (to ensure that all actions carried out in a
computer system can be associated with a specific user)- makes it possible to
differentiate between two users with the same name
-accounting: the process of associating an action with users for later reporting or
analysis
Five types of authentication - ANS-Knowledge: Something you know
-A password, passphrase, or personal identification number (PIN).
Ownership: Something you have
-A smart card, key, badge, or token.
Characteristics: Something unique to you
-Fingerprints, retina, or signature. Since the characteristics involved are often physical,
this type of authentication is sometimes defined as something you are.
Location: Somewhere you are
-Your physical location when you attempt to access a resource.
Action: Something you do/how you do it
-The way you type on a keyboard.
two-factor or multifactor authentication - ANS-combination of username and password
is considered single-factor authentication. May or may not be adequate for access to
more sensitive systems, applications, data. In this case, might be required to provide
two-factor authentication, in which you would swipe a card (something you have), to
enter building, and type a PIN (something you know) to ensure security
authentication by knowledge - ANS-based on something you know, like a password,
phrase, or PIN. oldest and most common method of authentication for computer
system (also weakest). Two-step authentication should be the minimum requirement
for valuable resources. As value of resource increases, so should strength of access
