ISC 2 Credentials CISSP Syllabus Exam Questions Answers

Rule-based access control is a type of access mechanism that uses predefined rules or policies to grant or deny access to resources based on certain conditions or criteria. Rule-based access control can be used to accomplish the requirement of allowing a user to access the file labeled “Financial Forecast,” but only between 9:00 a.m. and 5:00 p.m., Monday through Friday. The rule-based access control system can evaluate the attributes of the user, the file, and the environment, such as the identity, role, location, time, or date, and compare them with the rules or policies that specify the access conditions. For example, a rule-based access control policy could state that “Users in the finance department can access the file ‘Financial Forecast’ only from the office network and only during business hours.” If the user and the file match the criteria of the rule, then access is granted; otherwise, access is denied. References: CISSP All-in-One Exam Guide, Chapter 5: Identity and Access Management, Section: Access Control Models, pp. 403-404.

The privacy issue in this scenario is that the users were not informed as to what information collected would be shared with other users, and they did not give their consent to share their information. This violates the privacy principles of notice and choice, which state that the users should be notified of the data collection and sharing practices of the organization, and they should be given the option to opt-in or opt-out of the sharing feature. The technical control that should be put in place to remedy the privacy issue while still trying to accomplish the organization’s business goals is to default the user to not share any information, and to provide the user with a clear and easy way to enable the sharing feature if they wish to do so. This way, the user’s privacy is respected and protected, and the user can still participate in the sharing feature if they find it beneficial. The other answer choices are not appropriate, because they either do not address the privacy issue, or they do not support the organization’s business goals . References: [CISSP CBK, Fifth Edition, Chapter 1, page 35]; [CISSP Practice Exam – FREE 20 Questions and Answers, Question 20].

Session management is the process of controlling and maintaining the state and information of a user’s interaction with a web service. It involves creating, maintaining, and terminating sessions, as well as ensuring their security and integrity. An attacker who is able to remain indefinitely logged into a web service is exploiting a weakness in session management, such as the lack of session expiration, session timeout, or session revocation. Alert management, password management, and identity management (IM) are all related to security, but they do not directly address the issue of session management. 

The type of solution that would suit the needs of a large corporation that wants to automate access based on where the request is coming from, who the user is, what device they are connecting with, and what time of day they are attempting this access is Network Access Control (NAC). NAC is a solution that enables the enforcement of security policies and rules on the network level, by controlling the access of devices and users to the network resources. NAC can automate access based on various factors, such as the location, identity, role, device type, device health, or time of the request. NAC can also perform functions such as authentication, authorization, auditing, remediation, or quarantine of the devices and users that attempt to access the network. Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC) are not types of solutions, but types of access control models that define how the access rights or permissions are granted or denied to the subjects or objects. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, page 737; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 517.