CISSP Exam Practice Questions and Answers 2025/2026, Quizzes of Advanced Education

A collection of practice questions and verified answers for the cissp (certified information systems security professional) exam, specifically tailored for the 2025/2026 exam cycle. It covers key areas such as identity and access management, offering detailed explanations and references to authoritative sources like the cissp prep guide and the information security management handbook. The questions address critical security concepts, access control models, and security objectives, making it a valuable resource for exam preparation and knowledge reinforcement. It includes questions about biometric parameters, accountability, access control techniques, and security policies.

Typology: Quizzes

2025/2026

Available from 09/08/2025

StudentOnly
StudentOnly 🇺🇸

7.7K documents

1 / 98

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISSP Exam Collection Part 2 With 100%
Correct And Verified Answers 2025/2026
QUESTION 151
Which of the following biometric parameters are better suited for authentication use over
a long period of time?
A. Iris pattern
B. Voice pattern
C. Signature dynamics
D. Retina pattern - Correct Answer-Correct Answer: A
Section: Identity and Access Management
Explanation
Explanation/Reference:
The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings,
rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice,
signature and retina patterns are more likely to change over time, thus are not as
suitable for authentication over a long period of time without needing re-
enrollment.
Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1
(derived from the Information Security Management Handbook, 4th Ed., by
Tipton & Krause).
QUESTION 152
Which of the following is required in order to provide accountability?
A. Authentication
B. Integrity
C. Confidentiality
D. Audit trails - Correct Answer-Correct Answer: D
Section: Identity and Access Management
Explanation
Explanation/Reference:
Accountability can actually be seen in two different ways:
1) Although audit trails are also needed for accountability, no user can be accountable
for their actions unless properly authenticated.
2) Accountability is another facet of access control. Individuals on a system are
responsible for their actions. This accountability property enables system activities
to be traced to the proper individuals. Accountability is supported by audit trails that
record events on the system and network. Audit trails can be used for intrusion
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62

Partial preview of the text

Download CISSP Exam Practice Questions and Answers 2025/2026 and more Quizzes Advanced Education in PDF only on Docsity!

CISSP Exam Collection Part 2 With 100%

Correct And Verified Answers 2025/

QUESTION 151

Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long period of time without needing re- enrollment. Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause). QUESTION 152 Which of the following is required in order to provide accountability? A. Authentication B. Integrity C. Confidentiality D. Audit trails - Correct Answer-Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Accountability can actually be seen in two different ways:

  1. Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated.
  2. Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion

detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted. The point is that unless you employ an appropriate auditing mechanism, you don't have accountability. Authorization only gives a user certain permissions on the network. Accountability is far more complex because it also includes intrusion detection, unauthorized actions by both unauthorized users and authorized users, and system faults. The audit trail provides the proof that unauthorized modifications by both authorized and unauthorized users took place. No proof, No accountability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 50 The Shon Harris AIO book, 4th Edition, on Page 243 also states: Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy policies are enforced, and can be used as investigation tools. Accountability is tracked by recording user, system, and application ac QUESTION 153 Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure? A. Access control lists B. Discretionary access control C. Role-based access control D. Non-mandatory access control - Correct Answer-Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, administration is decentralized and owners of resources control other users' access. Non- mandatory access control is not a defined access control technique. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 9). QUESTION 154

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges - Correct Answer-Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented. Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645 and QUESTION 157 Which of the following are additional access control objectives? A. Consistency and utility B. Reliability and utility C. Usefulness and utility D. Convenience and utility - Correct Answer-Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Availability assures that a system's authorized users have timely and uninterrupted access to the information in the system. The additional access controlobjectives are reliability and utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system's vulnerability to these threats, and the risk that the threat may materialize Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32 QUESTION 158

Controls are implemented to: A. eliminate risk and reduce the potential for loss B. mitigate risk and eliminate the potential for loss C. mitigate risk and reduce the potential for loss D. eliminate risk and eliminate the potential for loss - Correct Answer-Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks. It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32 QUESTION 159 Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct? A. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision. B. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols. C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision. - Correct Answer-Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33 QUESTION 160

QUESTION 162

In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because: A. people need not use discretion B. the access controls are based on the individual's role or title within the organization. C. the access controls are not based on the individual's role or title within the organization D. the access controls are often based on the individual's role or title within the organization - Correct Answer-Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual's role or title within the organization. You can easily configure a new employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role. These access permissions defined within the role do not need to be changed whenever a new person takes over the role. Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall. This question is a sneaky one, one of the choice has only one added word to it which is often. Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended. Shon Harris in her book list the following ways of managing RBAC: Role-based access control can be managed in the following ways: Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used) Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality. (A mix of roles for applications that supports roles and explicit access control would be used for applications that do not support roles) Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles. Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted) NIST defines RBAC as: Security

QUESTION 163

Another type of access control is lattice-based access control. In this type of control a lattice model is applied. How is this type of access control concept applied? A. The pair of elements is the subject and object, and the subject has an upper bound equal or higher than the upper bound of the object being accessed. B. The pair of elements is the subject and object, and the subject has an upper bound lower then the upper bound of the object being accessed. C. The pair of elements is the subject and object, and the subject has no special upper or lower bound needed within the lattice. D. The pair of elements is the subject and object, and the subject has no access rights in relation to an object. - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: In this type of control, a lattice model is applied. To apply this concept to access control, the pair of elements is the subject and object, and the subject has to have an upper bound equal or higher than the object being accessed. WIKIPEDIA has a great explanation as well: In computer security, lattice-based access control (LBAC) is a complex access control based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34 and http://en.wikipedia.org/wiki/Lattice-based_access_control QUESTION 164 Detective/Technical measures: A. include intrusion detection systems and automatically-generated violation reports from audit trail information. B. do not include intrusion detection systems and automatically-generated violation reports from audit trail information.C. include intrusion detection systems but do not include automatically-generated violation reports from audit trail information.

D. a real password by the system which can be used forever. - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. It is recommended to use a passphrase instead of a password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password by the system. Often time the passphrase will exceed the maximum length supported by the system and it must be trucated into a Virtual Password. Reference(s) used for this question: http://www.itl.nist.gov/fipspubs/fip112htm and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37 QUESTION 167 In the context of Biometric authentication, what is a quick way to compare the accuracy of devices. In general, the device that have the lowest value would be the most accurate. Which of the following would be used to compare accuracy of devices? A. the CER is used. B. the FRR is used C. the FAR is used D. The FER is used - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. In the context of Biometric Authentication almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR).

Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase. Thus, to have a valid measure of the system performance, the CrossOver Error Rate (CER) is used. The following are used as performance metrics for biometric systems:false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold value. false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. QUESTION 168 The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of: A. 100 subjects per minute. B. 25 subjects per minute. C. 10 subjects per minute. D. 50 subjects per minute. - Correct Answer-Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of 10 subjects per minute. Things that may impact the throughput rate for some types of biometric systems may include: A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38 QUESTION 169 Which of the following biometric devices has the lowest user acceptance level?

A. l0phtcrack B. Tripwire C. OphCrack D. John the Ripper - Correct Answer-Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified. This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it. Other programs are password-cracking programs and are likely to be used by security administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site. NOTE: The biggest competitor to the commercial version of Tripwire is the freeware version of Tripwire. You can get the Open Source version of Tripwire at the following URL: http://sourceforge.net/projects/tripwire/ QUESTION 172 What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Configuration error B. Environmental error C. Access validation error D. Exceptional condition handling error - Correct Answer-Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In an environmental error, the environment in which a system is installed somehow causes the system to be vulnerable. This may be due, for example, to an unexpected interaction between an application and the operating system or between two applications on the same host. A configuration error occurs when user controllable settings in a system are set such that the system is vulnerable. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an exceptional condition that has arisen. Source: DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 106).

QUESTION 173

A network-based vulnerability assessment is a type of test also referred to as: A. An active vulnerability assessment. B. A routing vulnerability assessment. C. A host-based vulnerability assessment. D. A passive vulnerability assessment. - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses. Since the assessment is actively attacking or scanning targeted systems, network- based vulnerability assessment systems are also called active vulnerability systems. There are mostly two main types of test: PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your target. ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services runnings, port state, and more. See example below of both types of attacks: Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them. Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack.IMPORTANT NOTE: On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason b QUESTION 174 Why would anomaly detection IDSs often generate a large number of false positives? A. Because they can only identify correctly attacks they already know about. B. Because they are application-based are more subject to attacks.

Section: Identity and Access Management Explanation Explanation/Reference: Detective technical controls warn of technical access control violations. Access control software is a rather an example of a preventive technical control. Other choices represent detective technical controls. Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 10 (march 2002). QUESTION 177 Which of the following does not apply to system-generated passwords? A. Passwords are harder to remember for users. B. If the password-generating algorithm gets to be known, the entire system is in jeopardy. C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers. - Correct Answer-Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Users tend to choose easier to remember passwords. System-generated passwords can provide stronger, harder to guess passwords. Since they are based on rules provided by the administrator, they can include combinations of uppercase/lowercase letters, numbers and special characters, making them less vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for users, who will tend to write them down, making them more vulnerable to anyone having access to the user's desk. Another danger with system-generated passwords is that if the password-generating algorithm gets to be known, the entire system is in jeopardy. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 64). QUESTION 178 Which of the following is not a preventive login control? A. Last login message B. Password aging C. Minimum password length D. Account expiration - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference:

The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63). QUESTION 179 What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Scalability - Correct Answer-Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Accuracy is the most critical characteristic of a biometric identifying verification system. Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance rate (FAR or type II errors). The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 9). QUESTION 180 What is considered the most important type of error to avoid for a biometric access control system? A. Type I Error B. Type II Error C. Combined Error Rate D. Crossover Error Rate - Correct Answer-Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor. A Type I error is known as the false reject or false rejection rate and is not as important in the security context as a type II error rate. A type one is when a valid company employee is rejected by the system and he cannot get access even thou it is a valid user. The Crossover Error Rate (CER) is the point at which the false

QUESTION 182

Which authentication technique best protects against hijacking? A. Static authentication B. Continuous authentication C. Robust authentication D. Strong authentication - Correct Answer-Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. This is the best protection against hijacking. Static authentication is the type of authentication provided by traditional password schemes and the strength of the authentication is highly dependent on the difficulty of guessing passwords. The robust authentication mechanism relies on dynamic authentication data that changes with each authenticated session between a claimant and a verifier, and it does not protect against hijacking. Strong authentication refers to a two-factor authentication (like something a user knows and something a user is). Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3: Secured Connections to External Networks (page 51). QUESTION 183 Which of the following is not a security goal for remote access? A. Reliable authentication of users and systems B. Protection of confidential data C. Easy to manage access control to systems and network resources D. Automated login for remote users - Correct Answer-Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: An automated login function for remote users would imply a weak authentication, thus certainly not a security goal. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume 2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100). QUESTION 184

Which of the following questions is less likely to help in assessing identification and authentication controls? A. Is a current list maintained and approved of authorized users and their access? B. Is a current list maintained and approved of authorized users and their access? C. Are inactive user identifications disabled after a specified period of time? D. Is there a process for reporting incidents? - Correct Answer-Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control). Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems, November 2001 (Pages A- 30 to A-32). QUESTION 185 How would nonrepudiation be best classified as? A. A preventive control B. A logical control C. A corrective control. D. A compensating control - Correct Answer-Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control. Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology, December 2001, page 7 QUESTION 186 What are cognitive passwords? A. Passwords that can be used only once. B. Fact or opinion-based information used to verify an individual's identity. C. Password generators that use a challenge response scheme.