ISC2 CSSLPFree Certified Secure Software Lifecycle Professional practice test

Correct answer: C. DAC

Discretionary Access Control (DAC) allows resource owners to decide who may access their files and what level of access to grant. The owner exercises discretion over permissions. Mandatory Access Control (MAC) enforces centrally managed sensitivity labels and clearances — used in military classification systems. Role-Based Access Control (RBAC) ties permissions to predefined roles rather than individual owner choices. Attribute-Based Access Control (ABAC) evaluates a set of attributes associated with the requester and resource to make access decisions.

Correct answer: C. Attribute-based access control

Attribute-Based Access Control (ABAC) makes access decisions by evaluating characteristics — or attributes — tied to a user's identity, such as department, job title, or physical location. This differs from Role-Based Access Control (RBAC), which assigns permissions based on predefined roles rather than individual attributes. Rule-Based Access Control applies Boolean logic and ACL conditions (e.g., time-of-day restrictions). Mandatory Access Control (MAC) relies on centrally assigned sensitivity labels and clearances rather than user-specific attributes.

Correct answer: D. Preventative

This access control mechanism is a preventative control because it stops unauthorized access from occurring in the first place by enforcing job-function-based permissions. Preventative controls (e.g., firewalls, access controls, encryption) block incidents before they happen. Detective controls (e.g., audit logs, honeypots, IDS) identify incidents after they occur. Response controls mitigate damage once an incident is confirmed. Proactive activities such as threat hunting anticipate future threats rather than blocking present ones.

Correct answer: D. Confidentiality

Confidentiality is the security goal focused on preventing sensitive information from being disclosed to unauthorized parties. It can be enforced overtly through encryption or covertly through steganography and digital watermarking. Integrity focuses on preventing unauthorized modification of data. Encryption is a technique used to achieve confidentiality, not the objective itself. Access control governs who can interact with a resource but is not the primary definition of protecting data from unauthorized disclosure.

Correct answer: C. Something you do

Behavioral biometrics — such as typing cadence, swipe patterns, or mouse movements — fall under the 'something you do' authentication factor. This is a behavioral factor that goes beyond the three traditional factor categories: something you know (e.g., passwords and PINs), something you have (e.g., hardware tokens or smartphones), and something you are (e.g., physiological biometrics like fingerprints or iris scans). While 'something you do' can supplement authentication, it is not one of the standard three primary factors.

Correct answer: C. Authentication

Authentication is the process of confirming that a user is who they claim to be. Biometric scans — which fall under the 'something you are' factor — are a common authentication mechanism. Authorization is the subsequent step that determines what an authenticated user is permitted to do. Verification and validation are general quality-assurance terms and do not map to formal security concepts in the context of access control.

Correct answer: D. Brewer-Nash

The Brewer-Nash model (also known as the Chinese Wall model) is a confidentiality model designed for commercial organizations where information held by one group must not be accessible to a conflicting group — for example, preventing insider-trading scenarios in financial institutions. Bell-LaPadula is a confidentiality model combining MAC and DAC focused on classification levels (no-read-up, no-write-down). Biba is an integrity model preventing lower-trust data from contaminating higher-trust data. Clark-Wilson is a transaction-based integrity model using Constrained Data Items (CDIs), Integrity Verification Processes (IVPs), and Transformation Processes (TPs).

Correct answer: B. Integrity

Integrity ensures that data cannot be modified without authorization, which is paramount for EHR systems where altered records could endanger patient safety. Hash functions, digital signatures, parity bits, and cyclic redundancy checks are common integrity protections. Confidentiality prevents unauthorized disclosure but is secondary to preventing tampering in this scenario. Availability ensures systems remain accessible; important, but not the primary concern stated. Non-repudiation prevents denial of actions but is not the central requirement described.

Correct answer: C. Least Privilege

The Principle of Least Privilege dictates that users receive only the minimum access rights required to perform their specific job functions — nothing more. In this scenario, the employee is restricted to only the two systems needed for their role. Separation of Duties splits high-risk tasks across multiple individuals to prevent fraud. Economy of Mechanism advocates for simple system designs to reduce vulnerabilities. Complete Mediation requires that authorization checks be performed on every access request without exception.

Correct answer: C. Detection risk

Detection risk is the risk that an audit procedure will fail to identify an existing problem. The three audit-specific risk categories are: Detection Risk (auditor fails to find an issue), Inherent Risk (risk that is naturally present in a process or technology before controls are applied), and Control Risk (risk that existing controls will not catch or prevent a risk event in time). Residual risk is distinct — it is the risk remaining after all risk management controls have been applied, and is not one of the three audit-specific risk types.