ESTUDYR
WGU C845 - SSCP STUDY GUIDE PT1 UPDATED EXAM WITH
MOST TESTED QUESTIONS AND ANSWERS | GRADED A+ |
ASSURED SUCCESS WITH DETAILED RATIONALES
1. John works in an organization. He is trying to insert a password to log in his account on the
organization’s login website. Which of the following best describes the use of passwords for
access control?
A. Authorization
B. Authentication
C. Accounting
D. Auditing
Rationale: Authentication is the process of verifying a user’s identity, typically through
credentials like passwords. Authorization determines what they can access, and accounting
tracks their activities.
2. What is the primary benefit of a security camera for physical security?
A. Preventive
B. Detective
C. Corrective
D. Deterrent
Rationale: Security cameras are detective controls because they monitor and record events,
helping to identify security breaches after they occur.
3. Why is it important to perform a physical security assessment after a fire, chemical release,
or bomb false alarm?
A. To test emergency response times.
B. To update insurance policies.
C. The event could have been triggered as a distraction to alter physical security mechanisms.
D. To comply with legal regulations.
Rationale: Attackers may create diversions (like false alarms) to compromise physical security
controls during the chaos. A post-event assessment ensures no tampering occurred.
,ESTUDYR
4. What type of access control is typically the first line of defense?
A. Logical
B. Administrative
C. Physical
D. Technical
Rationale: Physical access controls (e.g., fences, locks) are the outermost layer of defense,
preventing unauthorized entry before logical or administrative controls are needed.
5. What is the condition of an IDS security assessment reporting that an event of concern has
taken place, but when later analyzed it is determined that the event was benign and should not
have caused an IDS alert?
A. True Positive
B. False Positive
C. True Negative
D. False Negative
Rationale: A false positive occurs when an IDS incorrectly flags normal activity as malicious,
leading to unnecessary alerts.
6. Your organization experienced an impersonation attack recently. You want a new
authentication system that ensures:
Eavesdropped passwords cannot be reused.
Passwords are only used once.
Password prediction is prevented.
Passwords are only valid for a short time.
How can you accomplish these goals?
A. Implement biometric authentication.
B. Implement a synchronized, one-time password token-based authentication system.
C. Enforce complex password policies.
D. Use digital certificates.
Rationale: One-time password (OTP) tokens generate time-limited, single-use passwords,
preventing replay attacks, password guessing, and reuse.
,ESTUDYR
7. Which of the following is an example of a single-factor authentication being used to gain
access to a computer system?
A. Using a username and a 16-character password.
B. Using a smart card and PIN.
C. Using a fingerprint and retina scan.
D. Using a token and password.
Rationale: Single-factor authentication uses only one type of credential. A username and
password are both something you know, representing one factor.
8. How can a user be given the power to set privileges on an object for other users within a DAC
operating system?
A. Make the user a system administrator.
B. Grant the user full control over the object.
C. Use role-based access control.
D. Implement mandatory access control.
Rationale: In Discretionary Access Control (DAC), the owner of an object can assign
permissions to others. Granting full control enables this capability.
9. Which of the following are examples of a non-discretionary access control system? (Select all
that apply.)
A. MAC (Mandatory Access Control)
B. RBAC (Role-Based Access Control)
C. ABAC (Attribute-Based Access Control)
D. DAC (Discretionary Access Control)
Rationale: Non-discretionary access control includes models where access decisions are not
left to user discretion. MAC, RBAC, and ABAC are all non-discretionary.
10. Which of the following clearance levels or classification labels is not generally used in a
government- or military-based MAC scheme?
A. Top Secret
B. Secret
, ESTUDYR
C. Confidential
D. Proprietary
Rationale: Proprietary is a commercial classification, not a standard government/military label
in MAC schemes, which use Top Secret, Secret, Confidential, and Unclassified.
11. How are the access control schemes of MAC and RBAC distinguished from DAC?
A. They are more flexible.
B. They are not based on user decisions.
C. They are easier to manage.
D. They use biometrics.
Rationale: MAC and RBAC are non-discretionary; access decisions are centrally controlled,
unlike DAC where users decide permissions.
12. How is role-based access control implemented?
A. By assigning security labels to objects.
B. By assigning a job name label to subjects.
C. By using access control lists.
D. By classifying data sensitivity.
Rationale: RBAC assigns users to roles based on their job functions, and permissions are
granted to roles rather than individuals.
13. How can account provisioning be configured so that the assignment of rights and privileges
is nearly automatic once the account is created?
A. Use manual approval for each permission.
B. Use an RBAC mechanism where a new user’s role is set by an HR admin.
C. Allow users to request access as needed.
D. Implement DAC for all resources.
Rationale: RBAC automates permission assignment: when HR assigns a role, the system
automatically grants associated privileges.
WGU C845 - SSCP STUDY GUIDE PT1 UPDATED EXAM WITH
MOST TESTED QUESTIONS AND ANSWERS | GRADED A+ |
ASSURED SUCCESS WITH DETAILED RATIONALES
1. John works in an organization. He is trying to insert a password to log in his account on the
organization’s login website. Which of the following best describes the use of passwords for
access control?
A. Authorization
B. Authentication
C. Accounting
D. Auditing
Rationale: Authentication is the process of verifying a user’s identity, typically through
credentials like passwords. Authorization determines what they can access, and accounting
tracks their activities.
2. What is the primary benefit of a security camera for physical security?
A. Preventive
B. Detective
C. Corrective
D. Deterrent
Rationale: Security cameras are detective controls because they monitor and record events,
helping to identify security breaches after they occur.
3. Why is it important to perform a physical security assessment after a fire, chemical release,
or bomb false alarm?
A. To test emergency response times.
B. To update insurance policies.
C. The event could have been triggered as a distraction to alter physical security mechanisms.
D. To comply with legal regulations.
Rationale: Attackers may create diversions (like false alarms) to compromise physical security
controls during the chaos. A post-event assessment ensures no tampering occurred.
,ESTUDYR
4. What type of access control is typically the first line of defense?
A. Logical
B. Administrative
C. Physical
D. Technical
Rationale: Physical access controls (e.g., fences, locks) are the outermost layer of defense,
preventing unauthorized entry before logical or administrative controls are needed.
5. What is the condition of an IDS security assessment reporting that an event of concern has
taken place, but when later analyzed it is determined that the event was benign and should not
have caused an IDS alert?
A. True Positive
B. False Positive
C. True Negative
D. False Negative
Rationale: A false positive occurs when an IDS incorrectly flags normal activity as malicious,
leading to unnecessary alerts.
6. Your organization experienced an impersonation attack recently. You want a new
authentication system that ensures:
Eavesdropped passwords cannot be reused.
Passwords are only used once.
Password prediction is prevented.
Passwords are only valid for a short time.
How can you accomplish these goals?
A. Implement biometric authentication.
B. Implement a synchronized, one-time password token-based authentication system.
C. Enforce complex password policies.
D. Use digital certificates.
Rationale: One-time password (OTP) tokens generate time-limited, single-use passwords,
preventing replay attacks, password guessing, and reuse.
,ESTUDYR
7. Which of the following is an example of a single-factor authentication being used to gain
access to a computer system?
A. Using a username and a 16-character password.
B. Using a smart card and PIN.
C. Using a fingerprint and retina scan.
D. Using a token and password.
Rationale: Single-factor authentication uses only one type of credential. A username and
password are both something you know, representing one factor.
8. How can a user be given the power to set privileges on an object for other users within a DAC
operating system?
A. Make the user a system administrator.
B. Grant the user full control over the object.
C. Use role-based access control.
D. Implement mandatory access control.
Rationale: In Discretionary Access Control (DAC), the owner of an object can assign
permissions to others. Granting full control enables this capability.
9. Which of the following are examples of a non-discretionary access control system? (Select all
that apply.)
A. MAC (Mandatory Access Control)
B. RBAC (Role-Based Access Control)
C. ABAC (Attribute-Based Access Control)
D. DAC (Discretionary Access Control)
Rationale: Non-discretionary access control includes models where access decisions are not
left to user discretion. MAC, RBAC, and ABAC are all non-discretionary.
10. Which of the following clearance levels or classification labels is not generally used in a
government- or military-based MAC scheme?
A. Top Secret
B. Secret
, ESTUDYR
C. Confidential
D. Proprietary
Rationale: Proprietary is a commercial classification, not a standard government/military label
in MAC schemes, which use Top Secret, Secret, Confidential, and Unclassified.
11. How are the access control schemes of MAC and RBAC distinguished from DAC?
A. They are more flexible.
B. They are not based on user decisions.
C. They are easier to manage.
D. They use biometrics.
Rationale: MAC and RBAC are non-discretionary; access decisions are centrally controlled,
unlike DAC where users decide permissions.
12. How is role-based access control implemented?
A. By assigning security labels to objects.
B. By assigning a job name label to subjects.
C. By using access control lists.
D. By classifying data sensitivity.
Rationale: RBAC assigns users to roles based on their job functions, and permissions are
granted to roles rather than individuals.
13. How can account provisioning be configured so that the assignment of rights and privileges
is nearly automatic once the account is created?
A. Use manual approval for each permission.
B. Use an RBAC mechanism where a new user’s role is set by an HR admin.
C. Allow users to request access as needed.
D. Implement DAC for all resources.
Rationale: RBAC automates permission assignment: when HR assigns a role, the system
automatically grants associated privileges.
