- A security architect is designing controls to support a new regulatory mandate that requires demonstrable data residency. Which architectural artifact most directly enables auditors to verify that the design satisfies the residency requirement?
- A vulnerability scan report of the storage tier
- A control traceability matrix mapping each regulatory requirement to specific architectural controls
- An incident response runbook
- A network topology diagram of the data center
Correct answer: A control traceability matrix mapping each regulatory requirement to specific architectural controls
A traceability matrix explicitly links regulatory requirements to the controls implemented, giving auditors a direct line of evidence. Topology diagrams, runbooks, and scans support but do not by themselves demonstrate requirement-to-control coverage.
- When integrating a third-party SaaS into an enterprise architecture, which governance mechanism best ensures the provider's security posture is continuously aligned with the organization's risk appetite?
- Contractually binding SLAs paired with periodic independent attestation reviews (e.g., SOC 2 Type II)
- Requiring the vendor to use the same firewall vendor
- A penetration test performed once before go-live
- A one-time security questionnaire at procurement
Correct answer: Contractually binding SLAs paired with periodic independent attestation reviews (e.g., SOC 2 Type II)
Continuous alignment requires ongoing evidence; binding SLAs combined with recurring independent attestations (SOC 2 Type II) provide repeatable assurance over time. One-time questionnaires and tests only capture a point-in-time view.
- An architect must quantify the financial exposure of a candidate control investment. Which calculation expresses the value of implementing a control?
- Replacement cost of the asset divided by ARO
- ALE before control minus ALE after control, minus the annual cost of the control
- ARO multiplied by exposure factor only
- SLE multiplied by asset value
Correct answer: ALE before control minus ALE after control, minus the annual cost of the control
The value (cost-benefit) of a safeguard equals the reduction in annualized loss expectancy (ALE before minus ALE after) less the safeguard's annual cost. The other expressions are incomplete fragments of risk math.
- A multinational must reconcile GDPR with a local data-localization law that conflicts on cross-border transfer. What is the most defensible architectural approach?
- Ignore localization since GDPR supersedes all
- Apply only the law of the headquarters country
- Store all data in a single global region for simplicity
- Design to the most restrictive applicable requirement and document the conflict-resolution rationale
Correct answer: Design to the most restrictive applicable requirement and document the conflict-resolution rationale
When jurisdictional requirements conflict, architecting to the most restrictive obligation and documenting the rationale provides the strongest defensibility and compliance posture. Choosing a single jurisdiction's law or ignoring one creates compliance gaps.
- Which approach best embeds risk management into the system development lifecycle from an architectural standpoint?
- Conducting a single risk assessment at deployment
- Performing iterative risk assessments at each SDLC phase with architecture decision records capturing residual risk
- Transferring all risk to a cyber-insurance policy
- Relying on the operations team to manage all risk post-launch
Correct answer: Performing iterative risk assessments at each SDLC phase with architecture decision records capturing residual risk
Embedding iterative assessments at each phase with documented architecture decision records ensures risk is addressed by design and residual risk is tracked. Deferring to deployment, operations, or insurance leaves design-time risk unaddressed.
- An architect is advising leadership on accepting a residual risk that exceeds the documented risk tolerance. What is the most appropriate action?
- Reclassify the asset as low value to fit tolerance
- Implement the control regardless of cost without approval
- Escalate to the accountable risk owner for a formal, documented risk-acceptance decision
- Silently accept the risk to avoid delaying the project
Correct answer: Escalate to the accountable risk owner for a formal, documented risk-acceptance decision
Risk acceptance above tolerance must be a formal, documented decision made by the accountable owner who has authority to accept it. Architects advise; they do not unilaterally accept or manipulate classifications.
- Which control category is primarily intended to reduce the probability that a threat event occurs, rather than its impact?
- Corrective controls
- Preventive controls
- Recovery controls
- Compensating controls
Correct answer: Preventive controls
Preventive controls aim to stop an incident before it happens, lowering likelihood. Recovery and corrective controls act after an event, and compensating controls substitute for an unavailable primary control.
- An organization wants to align its security architecture with a recognized control framework that maps to multiple regulations to reduce audit duplication. Which strategy is most effective?
- Adopt a common controls framework and crosswalk it to each applicable regulation
- Use only the controls explicitly named in the newest regulation
- Outsource all compliance to the cloud provider
- Maintain a separate control set per regulation with no overlap
Correct answer: Adopt a common controls framework and crosswalk it to each applicable regulation
A common controls framework with crosswalks lets one control satisfy multiple regulatory requirements, minimizing duplicated effort and audit fatigue. Separate, non-overlapping sets multiply work and create gaps.
- During a risk assessment, an architect identifies a threat with low likelihood but catastrophic impact to a critical system. Which risk treatment is generally most appropriate?
- Accept it because likelihood is low
- Transfer or mitigate it because the impact severity dominates the decision
- Ignore it until it materializes
- Eliminate the business function entirely
Correct answer: Transfer or mitigate it because the impact severity dominates the decision
For low-likelihood, catastrophic-impact risks, severity drives treatment; transfer (insurance/contract) or mitigation is typically warranted because the potential loss is unacceptable. Pure acceptance based on low likelihood ignores impact.
- Which metric best communicates to the board whether the security architecture program is reducing enterprise risk over time?
- Total number of security tools licensed
- Count of patches applied per month
- Trend in residual risk relative to risk appetite across the portfolio
- Number of firewalls deployed
Correct answer: Trend in residual risk relative to risk appetite across the portfolio
Boards care about whether residual risk is trending toward or away from the stated appetite; that is a business-relevant outcome metric. Tool and activity counts are operational outputs, not risk-reduction indicators.
- An architect must classify data to drive downstream control selection. Which factor should primarily determine the classification level?
- The storage media cost
- The potential impact to the organization if confidentiality, integrity, or availability is compromised
- The number of users who can access it
- The age of the data
Correct answer: The potential impact to the organization if confidentiality, integrity, or availability is compromised
Data classification is driven by the impact of a CIA compromise, which determines the rigor of required controls. Media cost, user count, and age are secondary considerations.
- A regulation requires the organization to demonstrate accountability for processing decisions. Which architectural feature most directly supports this?
- Anonymizing all logs immediately
- Disabling logging to reduce data exposure
- Immutable, time-synchronized audit logging tied to authenticated identities
- Aggregating logs without timestamps
Correct answer: Immutable, time-synchronized audit logging tied to authenticated identities
Accountability requires reliably attributing actions to identities; immutable, time-synchronized logs tied to authenticated principals provide non-repudiable evidence. Anonymizing or disabling logs undermines accountability.
- When establishing a security governance structure, which arrangement best preserves objectivity of risk reporting?
- Eliminating a dedicated risk function to reduce overhead
- The CISO reports solely to the CIO whose budget the CISO competes for
- An independent reporting line for risk that reaches executive leadership or the board
- Risk decisions delegated entirely to project managers
Correct answer: An independent reporting line for risk that reaches executive leadership or the board
An independent risk reporting line to executives or the board reduces conflicts of interest and preserves objectivity. Subordinating risk reporting under a competing budget owner can bias outcomes.
- Which is the most accurate description of the architect's role regarding regulatory compliance?
- Translate legal and regulatory obligations into implementable, verifiable technical and process controls
- Approve the organization's risk appetite
- Determine the legal interpretation of statutes
- Guarantee legal compliance through technical controls alone
Correct answer: Translate legal and regulatory obligations into implementable, verifiable technical and process controls
The architect translates obligations (defined by legal/compliance functions) into verifiable controls. Legal interpretation and setting risk appetite belong to other functions, and technical controls alone never guarantee legal compliance.
- An architect needs to ensure that a high-value process cannot be completed by a single individual to reduce fraud risk. Which principle should the architecture enforce?
- Fail-safe defaults
- Defense in depth
- Least privilege only
- Separation of duties
Correct answer: Separation of duties
Separation of duties divides a sensitive task among multiple parties so no single person can complete it alone, directly reducing fraud and error. Least privilege limits access scope but does not by itself split a task.
- A security architecture model uses a layered abstraction to relate business drivers down to technical implementation across contextual, conceptual, logical, physical, component, and operational views. Which framework is being described?
- SABSA
- MITRE ATT&CK
- STRIDE
- OWASP ASVS
Correct answer: SABSA
SABSA is a business-driven security architecture framework organized into layered views (contextual through operational). STRIDE is a threat-modeling taxonomy, ASVS is an application verification standard, and ATT&CK is an adversary technique knowledge base.
- An architect models threats for a new payment service using STRIDE. A risk of an attacker modifying a transaction in transit maps to which STRIDE category?
- Spoofing
- Repudiation
- Tampering
- Elevation of privilege
Correct answer: Tampering
Unauthorized modification of data, including data in transit, is Tampering in STRIDE. Spoofing concerns identity, repudiation concerns deniability, and elevation of privilege concerns gaining unauthorized rights.
- When applying the Zachman Framework to security architecture, the framework primarily provides what?
- An automated threat-modeling engine
- A list of compliance mappings to regulations
- A prescriptive set of security controls to deploy
- A two-dimensional ontology of perspectives and interrogatives for organizing architecture artifacts
Correct answer: A two-dimensional ontology of perspectives and interrogatives for organizing architecture artifacts
Zachman is an ontology that classifies architecture descriptions by perspective (rows) and interrogatives such as what/how/where/who/when/why (columns). It is not prescriptive about controls or compliance mappings.
- An architect must select an access control model for a system where access decisions depend dynamically on subject, resource, action, and environmental conditions. Which model fits best?
- Attribute-based access control (ABAC)
- Mandatory access control (MAC) with fixed labels
- Role-based access control (RBAC) with static roles only
- Discretionary access control (DAC)
Correct answer: Attribute-based access control (ABAC)
ABAC evaluates policies over attributes of subject, resource, action, and environment, enabling dynamic, context-aware decisions. DAC, static RBAC, and label-only MAC lack this contextual flexibility.
- The Bell-LaPadula model is primarily designed to enforce which security property?
- Availability through redundancy
- Integrity through no-write-up
- Non-repudiation through digital signatures
- Confidentiality through no-read-up and no-write-down
Correct answer: Confidentiality through no-read-up and no-write-down
Bell-LaPadula enforces confidentiality via the simple property (no read up) and star property (no write down). Biba addresses integrity; Bell-LaPadula does not address availability or non-repudiation.
- An architect needs an integrity model that addresses well-formed transactions and separation of duties for commercial systems. Which model is most appropriate?
- Bell-LaPadula
- Brewer-Nash (Chinese Wall)
- Biba strict integrity only
- Clark-Wilson
Correct answer: Clark-Wilson
Clark-Wilson enforces integrity through well-formed transactions and separation of duties, making it suited to commercial environments. Brewer-Nash addresses conflict-of-interest, and Biba focuses purely on integrity levels.
- When producing a reference architecture, what is its primary purpose compared to a solution architecture?
- It is a finished, deployable configuration
- It replaces the need for threat modeling
- It specifies exact product versions for one deployment
- It provides a reusable, technology-agnostic template and patterns to guide multiple specific solution designs
Correct answer: It provides a reusable, technology-agnostic template and patterns to guide multiple specific solution designs
A reference architecture is a reusable, typically technology-agnostic blueprint that guides many concrete solution architectures. Solution architectures are specific, deployable designs derived from it.
- An architect wants to evaluate the security architecture against the principle that the design should not rely on attacker ignorance of the mechanism. This principle is best described as:
- Open design
- Complete mediation
- Security through obscurity
- Economy of mechanism
Correct answer: Open design
The open design principle (Saltzer and Schroeder) holds that security should not depend on secrecy of the design, only on protected keys/credentials. Economy of mechanism favors simplicity, and complete mediation requires checking every access.
- Which threat-modeling approach focuses on the assets, then attackers, then software, providing flexible entry points for analysis?
- An asset-centric, attacker-centric, or software-centric perspective that can serve as an entry point to threat modeling
- PASTA's single rigid sequence only
- Only diagram-free brainstorming
- Exclusively automated scanning
Correct answer: An asset-centric, attacker-centric, or software-centric perspective that can serve as an entry point to threat modeling
Threat modeling can begin from an asset-centric, attacker-centric, or software/system-centric perspective, giving flexible entry points. Restricting to one rigid sequence or to scanning alone is overly narrow.
- In a data flow diagram used for threat modeling, what does a trust boundary represent?
- A point where data or control crosses between zones of differing trust, warranting validation or controls
- The maximum throughput of a network link
- A physical wall in the data center
- The encryption algorithm in use
Correct answer: A point where data or control crosses between zones of differing trust, warranting validation or controls
A trust boundary marks where data crosses between differing trust levels, signaling where validation, authentication, or other controls must be applied. It is not about physical structure or throughput.
- An architect is mapping enterprise architecture using TOGAF's ADM. Security architecture is best integrated by:
- Replacing the ADM with a vendor's product roadmap
- Adding security only in the final implementation phase
- Treating security as outside TOGAF's scope
- Embedding security considerations across all ADM phases as a cross-cutting concern
Correct answer: Embedding security considerations across all ADM phases as a cross-cutting concern
Security is a cross-cutting concern that should be integrated throughout every TOGAF ADM phase rather than bolted on at the end. Deferring it or excluding it weakens the architecture.
- The Brewer-Nash (Chinese Wall) model dynamically restricts access based on what?
- The clearance level of the subject only
- The history of prior accesses, to prevent conflict-of-interest data exposure
- The time of day
- The encryption strength of the resource
Correct answer: The history of prior accesses, to prevent conflict-of-interest data exposure
Brewer-Nash uses access history to enforce dynamic separation, preventing a subject who accessed one conflict-of-interest dataset from accessing a competing one. It is not based on static clearance or time.
- Which statement best characterizes the use of a maturity model (e.g., capability maturity) in security architecture modeling?
- It provides a structured way to assess and benchmark the maturity of security capabilities and plan improvement
- It replaces risk assessment
- It is a real-time intrusion detection method
- It prescribes specific firewall rules
Correct answer: It provides a structured way to assess and benchmark the maturity of security capabilities and plan improvement
Maturity models offer a structured assessment and benchmarking mechanism to gauge current capability and chart improvement. They do not prescribe device-level rules or perform detection.
- An architect models a system and wants to ensure every access request is checked against the policy, with no caching of stale authorization decisions. Which design principle is being applied?
- Separation of privilege
- Psychological acceptability
- Least common mechanism
- Complete mediation
Correct answer: Complete mediation
Complete mediation requires that every access to every object be checked for authority, avoiding reliance on stale or cached decisions. The other principles address shared mechanisms, usability, and multi-condition authorization.
- When documenting a security architecture for diverse stakeholders, why are multiple architectural views (e.g., business, data, application, technology) recommended?
- Because different stakeholders need the architecture expressed at the abstraction and concern relevant to them
- To increase documentation volume for audits
- To obscure the design from competitors
- Because regulators mandate exactly four views
Correct answer: Because different stakeholders need the architecture expressed at the abstraction and concern relevant to them
Multiple views let each stakeholder group engage with the architecture at the abstraction and concerns relevant to their role, improving communication and decision-making. It is not about volume, mandates, or obscurity.
- An architect is designing network segmentation for an enterprise. Which approach best limits lateral movement after an endpoint compromise?
- Placing all servers in the DMZ
- Disabling internal firewalls to improve performance
- Microsegmentation with default-deny east-west policies between workloads
- A single flat VLAN for all internal hosts
Correct answer: Microsegmentation with default-deny east-west policies between workloads
Microsegmentation with default-deny east-west traffic confines a compromised host and curtails lateral movement. Flat networks and disabled internal controls allow attackers to traverse freely.
- In a zero-trust network architecture, what is the most fundamental design assumption?
- No implicit trust is granted based on network location; every request is authenticated and authorized
- Perimeter firewalls eliminate the need for internal controls
- VPN access makes a device trusted
- The internal network is inherently trusted
Correct answer: No implicit trust is granted based on network location; every request is authenticated and authorized
Zero trust assumes no implicit trust from network location; identity and context are verified for every request. Trusting the internal network, perimeter-only defense, or VPN-equals-trust contradict zero-trust principles.
- An architect must provide confidentiality and integrity for site-to-site traffic over the internet with mutual peer authentication. Which protocol suite is most appropriate?
- Telnet
- IPsec in tunnel mode with IKE
- SNMPv1
- Plain HTTP
Correct answer: IPsec in tunnel mode with IKE
IPsec tunnel mode with IKE provides confidentiality, integrity, and authenticated key exchange for site-to-site VPNs. HTTP, SNMPv1, and Telnet lack adequate or any encryption and mutual authentication.
- Which design provides the strongest assurance that a TLS private key cannot be extracted from a high-volume web tier?
- Offloading key operations to a FIPS 140-validated hardware security module (HSM)
- Storing the key in application configuration files
- Emailing the key to administrators for backup
- Embedding the key in the container image
Correct answer: Offloading key operations to a FIPS 140-validated hardware security module (HSM)
An HSM performs cryptographic operations without exposing the private key in usable form, providing strong key-protection assurance. Config files, images, and email all risk key disclosure.
- An architect designs DNS for a large enterprise and wants to protect against cache poisoning and forged responses. Which control should be specified?
- Using a single recursive resolver with no validation
- Round-robin DNS
- DNSSEC to provide origin authentication and integrity of DNS data
- Lowering the TTL to zero
Correct answer: DNSSEC to provide origin authentication and integrity of DNS data
DNSSEC cryptographically signs records, providing origin authentication and integrity that defeat forged or poisoned responses. Round-robin and TTL changes address load/freshness, not authenticity.
- When architecting a multi-tier web application, where should a web application firewall (WAF) typically be positioned?
- In front of the web/application tier to inspect inbound HTTP/S requests
- Between two database replicas
- Behind the database servers
- Only on developer workstations
Correct answer: In front of the web/application tier to inspect inbound HTTP/S requests
A WAF inspects inbound HTTP/S traffic and is positioned in front of the web/application tier to filter application-layer attacks. Placing it behind the database or between replicas would not intercept the relevant traffic.
- An architect needs to ensure that cloud workloads obtain short-lived credentials rather than long-lived static keys. Which approach is best?
- Use workload identity federation with automatically rotated, short-lived tokens
- Store keys in a public repository for convenience
- Share a single root credential across all workloads
- Hard-code access keys in the workload
Correct answer: Use workload identity federation with automatically rotated, short-lived tokens
Workload identity federation issues short-lived, automatically rotated tokens, eliminating long-lived static secrets and reducing exposure. Hard-coding, sharing root credentials, or public storage are severe anti-patterns.
- Which architectural choice best mitigates the risk of a single compromised hypervisor exposing all tenant workloads in a multi-tenant cloud?
- Disabling hypervisor patching to maintain uptime
- Co-locating all sensitive tenants on one host
- Strong tenant isolation with dedicated hosts or confidential computing for the highest-sensitivity workloads
- Sharing memory pages across tenants to save resources
Correct answer: Strong tenant isolation with dedicated hosts or confidential computing for the highest-sensitivity workloads
Dedicated hosts or confidential computing isolate the most sensitive tenants, limiting blast radius if the hypervisor is compromised. Co-location, disabled patching, and shared memory increase cross-tenant risk.
- An architect must protect data at rest across a storage array while enabling crypto-shredding of decommissioned data. Which design supports this?
- Encrypting with per-dataset keys whose destruction renders the data unrecoverable
- Relying solely on filesystem permissions
- Compressing data instead of encrypting
- Encrypting everything with one static key forever
Correct answer: Encrypting with per-dataset keys whose destruction renders the data unrecoverable
Per-dataset keys allow crypto-shredding: destroying a dataset's key makes that data permanently unrecoverable. A single static key prevents granular shredding, and permissions or compression do not protect at rest.
- Which network design pattern best ensures that management traffic for critical infrastructure is not exposed to the production data plane?
- An out-of-band management network isolated from production traffic
- Sharing the production VLAN for management
- Managing devices over the public internet without VPN
- Using the same credentials for management and user access
Correct answer: An out-of-band management network isolated from production traffic
An out-of-band management network segregates administrative access from the production data plane, reducing exposure and preserving access during data-plane incidents. The other options increase risk.
- An architect is selecting a cipher mode that provides both confidentiality and integrity in a single primitive for bulk data. Which is most appropriate?
- AES-CBC with no MAC
- AES-ECB
- AES-GCM (authenticated encryption)
- RC4
Correct answer: AES-GCM (authenticated encryption)
AES-GCM is an authenticated encryption mode providing confidentiality and integrity together. ECB leaks patterns, CBC without a MAC lacks integrity, and RC4 is deprecated and insecure.
- To defend against a volumetric DDoS attack on a public web service, which architectural control is most effective?
- Adding more application log verbosity
- Upstream cloud-based DDoS scrubbing and CDN edge absorption
- Shortening session timeouts
- Increasing the database connection pool
Correct answer: Upstream cloud-based DDoS scrubbing and CDN edge absorption
Volumetric DDoS must be absorbed upstream; cloud scrubbing and CDN edge capacity dissipate attack traffic before it reaches origin. Database tuning, logging, and timeouts do not address bandwidth saturation.
- An architect wants to ensure that compromise of the certificate authority signing key does not immediately enable forging certificates trusted by clients. Which design helps most?
- Distributing the root private key to all servers
- Disabling certificate revocation
- An offline root CA that signs intermediate CAs, with the root key kept offline in an HSM
- Using a single online root CA for all issuance
Correct answer: An offline root CA that signs intermediate CAs, with the root key kept offline in an HSM
Keeping the root CA offline (in an HSM) and issuing only to intermediates limits exposure of the root key, the ultimate trust anchor. Online roots, distributed keys, and disabled revocation drastically increase risk.
- Which approach best secures east-west service-to-service communication in a microservices mesh?
- Mutual TLS with automatically issued, short-lived service identities (e.g., via a service mesh)
- Plaintext intra-cluster traffic for performance
- A shared static API key for all services
- IP allow-lists only
Correct answer: Mutual TLS with automatically issued, short-lived service identities (e.g., via a service mesh)
Mutual TLS with short-lived per-service identities authenticates and encrypts service-to-service traffic and supports fine-grained policy. Plaintext, shared keys, and IP lists are weak in dynamic, ephemeral environments.
- An architect must select an architecture for protecting sensitive data processed in memory from a compromised host OS. Which technology is most relevant?
- Full-disk encryption only
- Application-layer input validation
- Confidential computing using a hardware-based trusted execution environment (TEE)
- TLS for network traffic only
Correct answer: Confidential computing using a hardware-based trusted execution environment (TEE)
Confidential computing uses a hardware TEE (enclave) to protect data in use even from a privileged but untrusted host OS. Disk and network encryption protect at rest and in transit, not in use.
- An architect is designing identity federation between an enterprise IdP and a SaaS provider. Which protocol is most commonly used for browser-based SSO assertions in enterprise settings?
- LDAP bind only
- RADIUS accounting
- SNMP
- SAML 2.0
Correct answer: SAML 2.0
SAML 2.0 is the long-standing standard for browser-based enterprise SSO via signed assertions between IdP and SP. SNMP, raw LDAP bind, and RADIUS accounting are not federation/SSO assertion protocols.
- In OAuth 2.0, what is the fundamental purpose of an access token?
- To store the user's password for reuse
- To authorize a client to access protected resources on behalf of the resource owner within a defined scope
- To authenticate the end user's identity to the client
- To encrypt the transport channel
Correct answer: To authorize a client to access protected resources on behalf of the resource owner within a defined scope
An OAuth 2.0 access token represents delegated authorization (scope) to call resources on the resource owner's behalf. User authentication is the concern of OIDC's ID token, and tokens do not store passwords or encrypt transport.
- OpenID Connect adds which capability on top of OAuth 2.0?
- DNS resolution
- A standardized identity layer providing authenticated user information via an ID token
- Network packet filtering
- Disk encryption
Correct answer: A standardized identity layer providing authenticated user information via an ID token
OIDC layers authentication onto OAuth 2.0, issuing an ID token (a signed JWT) conveying authenticated user claims. OAuth alone handles authorization, not standardized authentication.
- An architect wants phishing-resistant multifactor authentication for a high-value workforce. Which authenticator type best meets this goal?
- Email magic links
- Knowledge-based security questions
- FIDO2/WebAuthn hardware security keys with origin binding
- SMS one-time passcodes
Correct answer: FIDO2/WebAuthn hardware security keys with origin binding
FIDO2/WebAuthn keys cryptographically bind to the origin, resisting phishing and credential replay. SMS, security questions, and email links are susceptible to interception, social engineering, or phishing.
- Which IAM design principle most directly limits the damage a compromised service account can cause?
- Granting broad standing privileges for convenience
- Sharing one account across all services
- Least privilege with scoped, time-bound, and just-in-time access
- Disabling logging on service accounts
Correct answer: Least privilege with scoped, time-bound, and just-in-time access
Least privilege combined with just-in-time, time-bound, scoped access minimizes what a compromised credential can reach and for how long. Broad standing access and shared accounts amplify damage.
- An architect must design privileged access management for domain administrators. Which control best reduces standing privileged exposure?
- Disabling MFA for admins to speed access
- Permanent membership in the domain admins group
- Shared admin password posted in a wiki
- Just-in-time elevation with approval workflow and session recording via a PAM solution
Correct answer: Just-in-time elevation with approval workflow and session recording via a PAM solution
JIT elevation with approvals and session recording removes standing privilege and provides accountability. Permanent membership, shared passwords, and disabling MFA dramatically increase privileged risk.
- In an identity architecture, what is the primary function of an identity provider (IdP) versus a service provider (SP)?
- They are interchangeable terms for the same component
- The IdP authenticates the user and asserts identity; the SP relies on that assertion to grant access
- The IdP stores files while the SP authenticates users
- The IdP encrypts disks and the SP manages DNS
Correct answer: The IdP authenticates the user and asserts identity; the SP relies on that assertion to grant access
The IdP performs authentication and issues identity assertions; the SP (relying party) consumes those assertions to authorize access. They are distinct roles in federation, not interchangeable.
- An architect is designing the joiner-mover-leaver lifecycle. Which capability most reduces orphaned and excessive entitlements over time?
- Manual annual access reviews via spreadsheets only
- Letting users request access without approval
- Never removing access to avoid disruption
- Automated provisioning/deprovisioning driven by an authoritative HR source with periodic access certification
Correct answer: Automated provisioning/deprovisioning driven by an authoritative HR source with periodic access certification
Automated lifecycle management tied to an authoritative source, plus access certification, keeps entitlements aligned with current roles and removes orphaned access. Manual-only and never-remove approaches accumulate entitlement creep.
- Which token-handling design best mitigates the impact of a stolen OAuth bearer access token?
- Long-lived tokens with no expiration
- Storing tokens in browser local storage indefinitely
- Reusing one token across all users
- Short-lived access tokens combined with sender-constrained tokens (e.g., DPoP or mTLS binding)
Correct answer: Short-lived access tokens combined with sender-constrained tokens (e.g., DPoP or mTLS binding)
Short lifetimes limit the window of misuse, and sender-constrained tokens bind a token to a specific client key so a stolen bearer token is unusable elsewhere. Long-lived, persisted, or shared tokens worsen exposure.
- An architect needs to enforce step-up authentication when a user attempts a high-risk action. Which architectural pattern supports this?
- Continuous, risk-adaptive authentication that triggers additional factors based on context and action sensitivity
- Disable authentication for internal users
- Require the same single factor for every action
- Authenticate once at login and never re-evaluate
Correct answer: Continuous, risk-adaptive authentication that triggers additional factors based on context and action sensitivity
Risk-adaptive (continuous) authentication evaluates context and action sensitivity to require step-up factors when warranted. A one-time login or uniform single factor cannot respond to elevated risk dynamically.
- When designing directory services for a large enterprise, which approach best supports a single authoritative identity while serving heterogeneous applications?
- Using local OS accounts everywhere
- Manually creating accounts per app on request
- A centralized identity source with synchronization/virtualization to applications and federated authentication
- Each application maintains its own isolated identity store
Correct answer: A centralized identity source with synchronization/virtualization to applications and federated authentication
A centralized authoritative identity, synchronized or virtualized to apps with federated authentication, reduces duplication and inconsistency. Per-app or local-account silos create fragmentation and security gaps.
- An architect must decide how to represent fine-grained authorization decisions externalized from application code. Which pattern is best?
- Granting all authenticated users full access
- Storing authorization logic only in the database triggers
- A policy decision point (PDP) evaluating externalized policy, with policy enforcement points (PEPs) in apps
- Hard-coding role checks throughout the codebase
Correct answer: A policy decision point (PDP) evaluating externalized policy, with policy enforcement points (PEPs) in apps
Externalizing authorization to a PDP with PEPs (the XACML/policy-as-code pattern) centralizes and standardizes decisions while keeping enforcement at the resource. Hard-coded checks scatter and duplicate logic.
- Which design best mitigates the risk of SAML assertion replay between an IdP and SP?
- Accepting assertions from any issuer
- Disabling signature checks for performance
- Allowing assertions to be valid indefinitely
- Enforcing short assertion validity windows, unique assertion IDs, audience restriction, and signature validation
Correct answer: Enforcing short assertion validity windows, unique assertion IDs, audience restriction, and signature validation
Short validity windows, one-time assertion IDs, audience restrictions, and signature validation collectively prevent replay and misuse. Indefinite validity, disabled signatures, or any-issuer acceptance enable attacks.
- An architect is integrating B2B partner identities without provisioning accounts in the local directory. Which model is most appropriate?
- Sharing a single guest credential among all partners
- Emailing temporary passwords for each session
- Creating shadow local accounts for every partner user
- Federated identity, trusting the partner's IdP for authentication and mapping claims to local authorization
Correct answer: Federated identity, trusting the partner's IdP for authentication and mapping claims to local authorization
Federation lets the partner's IdP authenticate users while the local system maps asserted claims to authorization, avoiding account sprawl. Shadow accounts, shared credentials, and emailed passwords are insecure and unscalable.
- An architect needs to design authorization that survives a single role explosion problem while keeping fine-grained control. Which hybrid approach is often most effective?
- No access control with monitoring only
- Pure RBAC with thousands of narrowly scoped roles
- RBAC for coarse-grained access combined with ABAC for fine-grained, context-sensitive decisions
- DAC managed entirely by end users
Correct answer: RBAC for coarse-grained access combined with ABAC for fine-grained, context-sensitive decisions
Combining RBAC for broad role assignment with ABAC for context-sensitive fine-grained decisions avoids role explosion while keeping precise control. Pure RBAC at fine granularity produces unmanageable role counts.
- An architect is defining secure SDLC requirements. At which point is threat modeling most cost-effectively performed?
- During design, before significant code is written
- Only during incident response
- After deployment to production
- After the first audit finding
Correct answer: During design, before significant code is written
Threat modeling during design identifies and addresses flaws before they are coded, when remediation is cheapest. Doing it only post-deployment or post-incident increases cost and risk.
- Which control most directly mitigates SQL injection at the application architecture level?
- Disabling database logging
- Obscuring table names
- Increasing database CPU
- Parameterized queries / prepared statements with input validation
Correct answer: Parameterized queries / prepared statements with input validation
Parameterized queries separate code from data so user input cannot alter query structure, directly preventing SQL injection. Renaming tables or scaling hardware does not address the injection flaw.
- An architect wants to prevent secrets from being embedded in application source code. Which design is best?
- Commit secrets to a private repository
- Base64-encode secrets in the code
- Retrieve secrets at runtime from a centralized secrets manager with access controls and rotation
- Store secrets in environment variables checked into version control
Correct answer: Retrieve secrets at runtime from a centralized secrets manager with access controls and rotation
A centralized secrets manager supplies credentials at runtime with access control and rotation, keeping them out of source. Committing or encoding secrets, even base64, leaves them exposed.
- Which architectural defense most effectively mitigates cross-site scripting (XSS) in a web application?
- Disabling HTTPS
- Relying solely on network firewalls
- Context-aware output encoding plus a strict Content Security Policy
- Increasing session timeout
Correct answer: Context-aware output encoding plus a strict Content Security Policy
Context-aware output encoding neutralizes injected script, and a strict CSP limits where scripts can load and execute, together strongly mitigating XSS. Network firewalls and session settings do not address script injection.
- An architect integrates security testing into CI/CD. Which combination provides the broadest coverage across the pipeline?
- SAST, SCA, and DAST integrated as automated pipeline gates with periodic manual penetration testing
- Only signature-based antivirus on the build server
- Only a manual review at release
- Only production monitoring
Correct answer: SAST, SCA, and DAST integrated as automated pipeline gates with periodic manual penetration testing
SAST (code), SCA (dependencies), and DAST (running app) as automated gates plus periodic manual pentesting cover code, components, and runtime. Single-point or manual-only approaches leave large gaps.
- To address software supply-chain risk, which architectural practice provides the strongest assurance of artifact provenance?
- Building only on developer laptops
- Disabling dependency updates entirely
- Cryptographically signing build artifacts and verifying signatures plus generating an SBOM
- Trusting any artifact in the public registry
Correct answer: Cryptographically signing build artifacts and verifying signatures plus generating an SBOM
Signing artifacts with verification and producing an SBOM establishes provenance and component transparency across the supply chain. Trusting unverified artifacts or building on uncontrolled laptops undermines integrity.
- Which design pattern best prevents insecure direct object reference (IDOR) vulnerabilities?
- Hiding object IDs in the UI only
- Enforcing per-request, server-side authorization checks that the subject may access the specific object
- Trusting client-side validation
- Relying on unguessable sequential IDs
Correct answer: Enforcing per-request, server-side authorization checks that the subject may access the specific object
IDOR is prevented by verifying on the server that the authenticated subject is authorized for the specific requested object on every request. Obscuring or client-side controls are bypassable.
- An architect designs an API gateway. Which control best protects backend services from abusive or malicious request volume?
- Rate limiting and throttling combined with authentication and input validation at the gateway
- Removing authentication to speed requests
- Allowing unlimited requests from authenticated clients
- Caching error responses only
Correct answer: Rate limiting and throttling combined with authentication and input validation at the gateway
Rate limiting/throttling at the gateway, paired with authentication and validation, protects backends from abuse and resource exhaustion. Removing auth or allowing unlimited requests increases risk.
- Which approach best secures sensitive data handled by a mobile application on potentially untrusted devices?
- Minimizing local storage, using platform secure storage/keystore, and enforcing transport encryption with certificate pinning
- Embedding API secrets in the app binary
- Trusting the device to be jailbreak-free without checks
- Storing data in plaintext on the device for speed
Correct answer: Minimizing local storage, using platform secure storage/keystore, and enforcing transport encryption with certificate pinning
Minimizing stored data, leveraging the platform keystore, and using TLS with certificate pinning protect data on untrusted devices and against interception. Plaintext storage and embedded secrets are easily extracted.
- An architect must design protection against deserialization attacks in a service that accepts serialized objects. Which is the best approach?
- Log payloads without validating them
- Increase memory to handle large payloads
- Avoid native deserialization of untrusted data; use safe data formats with strict schema validation and allow-listing of types
- Accept any serialized object and rely on the firewall
Correct answer: Avoid native deserialization of untrusted data; use safe data formats with strict schema validation and allow-listing of types
Avoiding native deserialization of untrusted input and using schema-validated formats with type allow-lists prevents object-injection attacks. Firewalls and logging do not stop deserialization exploitation.
- Which architectural principle ensures an application fails into a secure state when an error occurs during an authorization check?
- Fail-secure (fail-closed) so that an error denies access by default
- Fail-open to preserve availability
- Retry indefinitely until it succeeds
- Ignore the error and continue
Correct answer: Fail-secure (fail-closed) so that an error denies access by default
Fail-secure means an error in an authorization decision results in denied access (default deny), preventing accidental exposure. Fail-open and ignoring errors can grant unintended access.
- An architect designs server-side defenses against cross-site request forgery (CSRF) for a session-cookie-based app. Which is most effective?
- Anti-CSRF tokens bound to the session plus SameSite cookie attributes
- Disabling cookies entirely
- Longer passwords
- Relying only on referer header presence
Correct answer: Anti-CSRF tokens bound to the session plus SameSite cookie attributes
Synchronizer anti-CSRF tokens tied to the session, combined with SameSite cookie attributes, robustly defend against CSRF. Referer checks alone are unreliable, and password length is unrelated.
- When defining requirements to verify an application meets defined security controls, which standard provides a tiered set of verifiable application security requirements?
- ISO 9001 quality management
- NIST SP 800-53 physical controls
- OWASP Application Security Verification Standard (ASVS)
- PCI DSS network segmentation only
Correct answer: OWASP Application Security Verification Standard (ASVS)
OWASP ASVS offers tiered, verifiable application security requirements suitable for defining and testing app security. The other standards are not focused, verifiable application-control catalogs.
- Which design decision best reduces the attack surface of a microservice exposed publicly?
- Running the service as root for convenience
- Allowing debug endpoints in production
- Exposing only the minimal required endpoints behind an authenticated gateway and disabling unused features
- Exposing all internal endpoints for flexibility
Correct answer: Exposing only the minimal required endpoints behind an authenticated gateway and disabling unused features
Minimizing exposed endpoints behind an authenticated gateway and disabling unused features and debug interfaces shrinks the attack surface. Broad exposure, root execution, and debug endpoints expand it.
- An architect must reduce the risk that developers inadvertently introduce vulnerable open-source components. Which control is most preventive?
- Allowing any dependency from any source
- Software composition analysis with policy gates blocking known-vulnerable or unapproved components in CI
- Manual review of dependencies once a year
- Disabling dependency management
Correct answer: Software composition analysis with policy gates blocking known-vulnerable or unapproved components in CI
SCA with enforced policy gates in CI blocks known-vulnerable or disallowed components before they reach production, preventing introduction at the source. Annual manual review is too infrequent to be preventive.
- An architect is designing a SIEM-centered detection capability. Which design choice most improves the fidelity of alerts?
- Forwarding all logs with no normalization or correlation
- Disabling alerting to reduce noise
- Normalizing and enriching events, then correlating across sources with use-case-driven detection rules
- Alerting on every single log entry
Correct answer: Normalizing and enriching events, then correlating across sources with use-case-driven detection rules
Normalization, enrichment, and cross-source correlation tied to specific detection use cases reduce false positives and surface meaningful incidents. Raw firehose ingestion or per-entry alerting overwhelms analysts.
- Which architecture best supports rapid, consistent incident response across a large environment?
- Keeping runbooks solely in individuals' memory
- Ad hoc manual response by whoever is available
- A SOAR platform with documented, automated playbooks integrated with detection and ticketing
- Responding only during business hours
Correct answer: A SOAR platform with documented, automated playbooks integrated with detection and ticketing
SOAR with automated, documented playbooks integrated into detection and ticketing standardizes and accelerates response at scale. Ad hoc or memory-based processes are slow and inconsistent.
- An architect must ensure log integrity for forensic admissibility. Which control is most important?
- Storing logs only on the source host
- Rotating logs daily with no retention
- Allowing administrators to edit logs to correct errors
- Write-once/immutable log storage with cryptographic hashing and synchronized time sources
Correct answer: Write-once/immutable log storage with cryptographic hashing and synchronized time sources
Immutable storage, hashing, and synchronized time provide tamper-evidence and reliable timelines essential for forensic admissibility. Editable logs, host-only storage, and no retention undermine integrity.
- When architecting vulnerability management, which approach best prioritizes remediation effort?
- Patch strictly in the order vulnerabilities were discovered
- Patch only the highest CVSS base scores regardless of context
- Patch nothing until the annual maintenance window
- Risk-based prioritization combining exploitability, asset criticality, and exposure
Correct answer: Risk-based prioritization combining exploitability, asset criticality, and exposure
Risk-based prioritization that weighs exploitability (e.g., known exploited), asset criticality, and exposure focuses effort where it most reduces risk. CVSS base score alone or discovery order ignores context.
- Which design ensures continuity of security monitoring during a regional cloud outage?
- A single-region SIEM with no redundancy
- Disabling monitoring during incidents to save resources
- Multi-region log collection and analytics with failover and durable, replicated storage
- Local-only logging on each host
Correct answer: Multi-region log collection and analytics with failover and durable, replicated storage
Multi-region collection, analytics failover, and replicated durable storage keep monitoring operational during a regional outage. Single-region or local-only designs lose visibility precisely when it is most needed.
- An architect integrates threat intelligence into operations. Which use provides the most operational value?
- Collecting feeds but never operationalizing them
- Blocking on every raw indicator from all feeds without vetting
- Automatically enriching detections and informing detection engineering and blocking with curated, relevant indicators
- Sharing all internal data publicly
Correct answer: Automatically enriching detections and informing detection engineering and blocking with curated, relevant indicators
Operationalized, curated threat intel that enriches detections and informs detection engineering and selective blocking adds value while controlling false positives. Unused feeds or blanket blocking of unvetted indicators cause noise or outages.
- Which architectural capability most directly enables detection of lateral movement within an environment?
- Perimeter firewall logs only
- Quarterly vulnerability scans
- Marketing analytics dashboards
- East-west network visibility and endpoint detection correlated with identity/authentication telemetry
Correct answer: East-west network visibility and endpoint detection correlated with identity/authentication telemetry
Lateral movement occurs internally, so east-west network and endpoint telemetry correlated with authentication events are needed to detect it. Perimeter-only logs and periodic scans miss internal pivoting.
- An architect designs backup architecture to withstand ransomware. Which characteristic is most critical?
- Backups encrypted with the production domain admin account only
- Backups stored on the same writable network share as production
- Immutable, air-gapped or logically isolated backups with tested restoration procedures
- Backups taken once per year
Correct answer: Immutable, air-gapped or logically isolated backups with tested restoration procedures
Immutable and isolated backups that cannot be altered or deleted by an attacker, plus tested restores, are essential ransomware resilience. Co-located writable or rarely taken backups are easily compromised or stale.
- Which metric best measures the effectiveness of a SOC's detection and response architecture?
- Number of dashboards created
- Mean time to detect (MTTD) and mean time to respond (MTTR) trends
- Number of log sources onboarded
- Total storage consumed by logs
Correct answer: Mean time to detect (MTTD) and mean time to respond (MTTR) trends
MTTD and MTTR trends directly reflect how quickly threats are detected and contained, the core SOC outcomes. Source counts, storage, and dashboard tallies are inputs, not effectiveness measures.
- An architect must design secure configuration management at scale. Which approach best prevents configuration drift from a hardened baseline?
- Documenting the baseline but never enforcing it
- Manual configuration of each host
- Allowing administrators to make ad hoc changes without tracking
- Infrastructure-as-code with automated enforcement and continuous compliance scanning against a hardened baseline
Correct answer: Infrastructure-as-code with automated enforcement and continuous compliance scanning against a hardened baseline
IaC with automated enforcement and continuous compliance scanning detects and corrects drift from the hardened baseline. Manual or untracked changes inevitably cause drift.
- Which design best supports forensic readiness so that investigations can be conducted effectively after an incident?
- Storing evidence on the compromised system
- Predefined logging, retention, time synchronization, and chain-of-custody procedures established before incidents occur
- Collecting evidence only after legal demands it
- Minimizing all logging to reduce cost
Correct answer: Predefined logging, retention, time synchronization, and chain-of-custody procedures established before incidents occur
Forensic readiness requires pre-established logging, retention, accurate time, and chain-of-custody processes so evidence is available and defensible. Minimal logging or reactive collection undermines investigations.
- An architect is defining alerting for a detection-and-response architecture. Which practice best balances coverage and analyst workload?
- Disable low-severity alerts permanently without review
- Maximize alert volume to never miss anything
- Route all alerts to a single shared inbox
- Tune detections with severity-based routing, suppression of known benign noise, and tiered escalation
Correct answer: Tune detections with severity-based routing, suppression of known benign noise, and tiered escalation
Tuning with severity-based routing, suppressing known-benign noise, and tiered escalation maintains coverage while keeping analyst workload manageable. Maximizing volume or a single inbox causes fatigue; blanket disabling loses coverage.
- Which architectural choice best enables containment of a compromised endpoint without disrupting the entire network?
- Disabling all internet access company-wide
- Network isolation/quarantine of the specific host via EDR or dynamic segmentation policy
- Shutting down the core switch
- Reimaging every endpoint immediately
Correct answer: Network isolation/quarantine of the specific host via EDR or dynamic segmentation policy
Targeted isolation of the affected host via EDR or dynamic segmentation contains the threat with minimal disruption. Shutting down core infrastructure or company-wide measures cause unnecessary outages.
- An architect integrates security operations with the broader IT change process. Which integration most reduces the risk of changes introducing exposures?
- Reviewing changes only after incidents occur
- Embedding security review and automated policy checks into the change-management workflow
- Approving all emergency changes without review
- Excluding security from change advisory entirely
Correct answer: Embedding security review and automated policy checks into the change-management workflow
Embedding security review and automated policy/compliance checks into change management catches risky changes before deployment. Excluding security or reviewing only post-incident allows exposures to slip through.
- Which approach best validates that a security architecture's controls actually operate as intended after deployment?
- Waiting for an external breach to reveal failures
- Assuming controls work because they were designed correctly
- Reviewing only the design documents annually
- Continuous control validation through testing such as breach-and-attack simulation and control assessments
Correct answer: Continuous control validation through testing such as breach-and-attack simulation and control assessments
Continuous validation (e.g., breach-and-attack simulation, control assessments) confirms controls operate effectively over time, catching drift and gaps. Assumptions or doc-only reviews do not verify real-world efficacy.
- An architect is selecting a foundational standard against which the organization will design, certify, and continually improve an information security management system (ISMS). Which standard specifies the certifiable requirements for an ISMS?
- ISO/IEC 27002
- ISO/IEC 27701
- ISO/IEC 27005
- ISO/IEC 27001
Correct answer: ISO/IEC 27001
ISO/IEC 27001 is the certifiable standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS, and it is the standard against which third-party certification is granted. ISO/IEC 27002 provides implementation guidance (a catalog of controls) but is not itself certifiable, ISO/IEC 27005 addresses information security risk management, and ISO/IEC 27701 extends the ISMS into a privacy information management system.
- An organization wants detailed implementation guidance and a reference catalog of information security controls to support its ISMS, rather than the auditable management-system requirements themselves. Which standard is the architect describing?
- ISO/IEC 27002
- ISO/IEC 27001
- ISO/IEC 22301
- ISO/IEC 31000
Correct answer: ISO/IEC 27002
ISO/IEC 27002 is the code of practice that provides a reference set of information security controls with implementation guidance, used to support the controls referenced by an ISO/IEC 27001 ISMS. ISO/IEC 27001 states the certifiable management-system requirements, ISO/IEC 22301 covers business continuity management, and ISO/IEC 31000 provides general enterprise risk-management principles.
- An architect needs a standard dedicated specifically to information security risk management methodology to structure the identification, analysis, and evaluation of risk feeding the ISMS. Which standard fits best?
- ISO/IEC 27005
- ISO/IEC 27001
- ISO/IEC 27017
- ISO/IEC 20000
Correct answer: ISO/IEC 27005
ISO/IEC 27005 provides guidance specifically on information security risk management, including risk identification, analysis, evaluation, and treatment that feeds an ISO/IEC 27001 ISMS. ISO/IEC 27001 sets ISMS requirements broadly, ISO/IEC 27017 gives cloud-specific security controls, and ISO/IEC 20000 addresses IT service management.
- A multinational service provider must demonstrate it manages privacy obligations as an extension of its existing ISO/IEC 27001 ISMS, addressing roles as both controller and processor. Which standard is purpose-built for this?
- ISO/IEC 29100
- ISO/IEC 27005
- ISO/IEC 27701
- ISO/IEC 27018
Correct answer: ISO/IEC 27701
ISO/IEC 27701 specifies requirements for a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001 and 27002, with controller- and processor-specific controls. ISO/IEC 27018 narrowly covers protection of PII in public clouds, ISO/IEC 29100 is a privacy framework reference model, and ISO/IEC 27005 addresses security risk management rather than privacy management.
- In NIST Cybersecurity Framework 2.0, a sixth core function was added to make organizational risk strategy, policy, oversight, and supply-chain risk management explicit. Which function is this?
- Protect
- Govern
- Respond
- Identify
Correct answer: Govern
The Govern function is the function added in CSF 2.0 (published 2024) to establish, communicate, and monitor the organization's cybersecurity risk-management strategy, expectations, and policy, and it is depicted at the center informing the other five functions. Identify, Protect, and Respond are pre-existing functions concerned with asset understanding, safeguards, and incident response rather than overarching governance.
- An architect uses NIST CSF 2.0 Tiers to describe the organization's approach to managing cybersecurity risk. What do the Tiers primarily characterize?
- The rigor and maturity of the organization's cybersecurity risk-governance and risk-management practices
- The encryption strength applied to data at rest and in transit
- A mandatory compliance score that determines certification pass or fail
- The dollar value of cyber-insurance coverage required for each system
Correct answer: The rigor and maturity of the organization's cybersecurity risk-governance and risk-management practices
CSF 2.0 Tiers (Partial, Risk Informed, Repeatable, Adaptive) characterize the degree of rigor and maturity in an organization's cybersecurity risk-governance and risk-management practices, not a pass/fail certification. Tiers are not a compliance score, an insurance requirement, or an encryption-strength measure.
- An organization wants to compare its present cybersecurity posture against a desired future state using NIST CSF 2.0. Which CSF construct supports this current-versus-target comparison?
- Organizational Profiles
- The CSF Core functions list
- Informative References
- Implementation Tiers
Correct answer: Organizational Profiles
Organizational Profiles describe an organization's current and target cybersecurity outcomes, enabling a gap comparison between where the organization is and where it wants to be. Tiers describe maturity of governance practices, the Core lists desired outcomes, and Informative References map to other standards, but the current-versus-target comparison is the purpose of Profiles.
- An architect must choose a quantitative risk model that decomposes risk into the frequency of loss events and the probable magnitude of loss to produce a defensible probability distribution of annual loss. Which model is being described?
- A qualitative 5x5 risk heat map
- FAIR (Factor Analysis of Information Risk)
- A control self-assessment questionnaire
- The Delphi technique
Correct answer: FAIR (Factor Analysis of Information Risk)
FAIR (Factor Analysis of Information Risk) is a quantitative model that decomposes risk into loss event frequency and loss magnitude to produce probabilistic, defensible loss estimates. A 5x5 heat map and the Delphi technique are qualitative methods, and a control self-assessment evaluates control presence rather than quantifying loss.
- An architect compares risk-assessment approaches for the board. Which statement correctly contrasts quantitative and qualitative risk assessment?
- Quantitative assessment requires no data and relies solely on expert intuition
- Quantitative assessment expresses risk in monetary terms using data-driven values, while qualitative assessment uses relative ratings such as high, medium, and low
- Qualitative assessment always produces more precise dollar figures than quantitative assessment
- Qualitative assessment is the only method that can rank risks for prioritization
Correct answer: Quantitative assessment expresses risk in monetary terms using data-driven values, while qualitative assessment uses relative ratings such as high, medium, and low
Quantitative risk assessment expresses risk in measurable monetary terms (for example using SLE, ARO, and ALE), whereas qualitative assessment uses relative descriptive ratings such as high, medium, and low. Qualitative methods do not produce precise dollar figures, quantitative methods are data-driven rather than intuition-only, and both approaches can be used to rank and prioritize risks.
- An architect chairs a workshop where a panel of anonymous subject-matter experts iteratively submits and refines risk estimates until consensus emerges, avoiding dominance by any single voice. Which qualitative technique is in use?
- The Delphi technique
- The FAIR model
- Single loss expectancy analysis
- Monte Carlo simulation
Correct answer: The Delphi technique
The Delphi technique gathers anonymous, iterative input from subject-matter experts and refines it across rounds to reach consensus while reducing the influence of dominant individuals. Monte Carlo simulation and FAIR are quantitative approaches, and single loss expectancy analysis is a quantitative calculation, not a consensus-building qualitative method.
- During a business impact analysis, an architect must define the absolute maximum length of time a critical business process can remain unavailable before causing severe or irreparable harm. Which metric captures this?
- Maximum Tolerable Downtime (MTD)
- Annualized Rate of Occurrence (ARO)
- Mean Time Between Failures (MTBF)
- Recovery Point Objective (RPO)
Correct answer: Maximum Tolerable Downtime (MTD)
Maximum Tolerable Downtime (MTD) defines the longest a process can be down before severe or irreparable harm occurs, and it bounds the recovery objectives. RPO measures tolerable data loss, MTBF measures reliability between failures, and ARO is a quantitative risk-frequency variable unrelated to outage tolerance.
- An architect is defining the maximum acceptable amount of data loss, measured as a point in time to which systems must be recoverable after a disruption. Which metric is this?
- Recovery Point Objective (RPO)
- Maximum Tolerable Downtime (MTD)
- Work Recovery Time (WRT)
- Recovery Time Objective (RTO)
Correct answer: Recovery Point Objective (RPO)
The Recovery Point Objective (RPO) expresses the maximum acceptable data loss as a point in time to which data must be restorable, effectively setting backup frequency. RTO is the targeted time to restore systems, WRT is the time to validate and resume business functions after restoration, and MTD is the overall ceiling on downtime.
- An architect documents the relationship among recovery metrics for a continuity design. Which equation correctly relates Maximum Tolerable Downtime to its components?
- MTD = RPO + RTO
- MTD = RTO + WRT
- MTD = RTO - WRT
- MTD = RPO x ARO
Correct answer: MTD = RTO + WRT
Maximum Tolerable Downtime equals Recovery Time Objective plus Work Recovery Time (MTD = RTO + WRT): RTO covers restoring systems and WRT covers validating and resuming business functions, and together they must fit within the MTD ceiling. RPO is a separate data-loss metric, not a summand of MTD, so the other expressions are incorrect.
- An organization needs a certifiable management-system standard dedicated specifically to business continuity, so its continuity program can be independently audited. Which standard should the architect cite?
- ISO/IEC 27001
- ISO 31000
- ISO 9001
- ISO 22301
Correct answer: ISO 22301
ISO 22301 specifies requirements for a business continuity management system (BCMS) and supports independent certification of continuity programs. ISO/IEC 27001 covers information security management, ISO 31000 provides non-certifiable enterprise risk-management guidance, and ISO 9001 addresses quality management.
- An architect distinguishes inherent risk from residual risk when reporting to governance. Which definition pair is correct?
- Inherent risk is the risk remaining after controls; residual risk is the risk before controls
- Inherent risk is the risk before any controls are applied; residual risk is the risk remaining after controls are applied
- Inherent risk and residual risk are identical once a control framework is adopted
- Inherent risk is the transferred portion of risk; residual risk is the accepted portion
Correct answer: Inherent risk is the risk before any controls are applied; residual risk is the risk remaining after controls are applied
Inherent risk is the level of risk present before any controls are applied, while residual risk is what remains after controls have reduced it. Residual risk is what governance must compare against risk appetite and decide whether to accept; the reversed and conflated definitions are incorrect.
- An architect organizes the organization's directive documents into a hierarchy. Which sequence correctly ranks them from highest-level mandate to most detailed step-by-step instruction?
- Standard, policy, guideline
- Procedure, standard, policy
- Policy, standard, procedure
- Guideline, procedure, policy
Correct answer: Policy, standard, procedure
The governance document hierarchy runs from policy (high-level management intent and mandate), to standard (mandatory specific requirements), to procedure (detailed step-by-step instructions). Guidelines are recommended, non-mandatory advice and sit alongside these; the reversed orderings are incorrect.
- An architect must explain how a guideline differs from a standard in a governance program. Which statement is accurate?
- A standard is mandatory and enforceable, while a guideline is a recommended best practice that is not mandatory
- A guideline overrides a policy when the two conflict
- Both standards and guidelines are legally binding regulations
- A guideline is mandatory and a standard is optional
Correct answer: A standard is mandatory and enforceable, while a guideline is a recommended best practice that is not mandatory
A standard imposes mandatory, enforceable requirements, whereas a guideline offers recommended best practices that organizations may adapt and are not compulsory. Guidelines are not mandatory, neither document is inherently a legal regulation, and guidelines never override higher-level policy.
- An architect classifies a logging-and-alerting capability by control function. A control whose primary purpose is to discover and signal that a security event has occurred is best categorized as which type?
- Deterrent
- Detective
- Corrective
- Preventive
Correct answer: Detective
A detective control identifies and signals that an event has occurred, as logging and alerting do. A preventive control stops an event before it happens, a corrective control restores systems after an event, and a deterrent control discourages an actor from attempting an action, so those do not match a discovery-and-alert capability.
- An architect groups controls by the dimension that distinguishes policies and training from firewalls and from locks and fences. Which categorization is being applied?
- Strategic, tactical, and operational controls
- Preventive, detective, and corrective controls
- Administrative, technical, and physical controls
- Mandatory, discretionary, and role-based controls
Correct answer: Administrative, technical, and physical controls
The administrative-technical-physical categorization distinguishes managerial controls (policies, training), technical or logical controls (firewalls, encryption), and physical controls (locks, fences). The preventive/detective/corrective scheme classifies by function rather than nature, and the other two pairings are not standard control-nature categories.
- An organization receiving outsourced services wants independent assurance about the design and operating effectiveness of a service provider's controls over security, availability, and confidentiality over a period of time. Which report should the architect request?
- A SOC 1 Type I report
- A SOC 2 Type II report
- A penetration test executive summary
- A vulnerability scan snapshot
Correct answer: A SOC 2 Type II report
A SOC 2 Type II report provides independent attestation on the design and operating effectiveness of a provider's controls over the Trust Services Criteria (including security, availability, and confidentiality) across a period of time. A SOC 1 addresses controls over financial reporting, a Type I covers only design at a point in time, and pen-test or scan outputs are not formal attestations of control operating effectiveness.
- An architect distinguishes the focus of a SOC 1 report from a SOC 2 report when evaluating a vendor. Which statement is correct?
- SOC 1 addresses controls relevant to a user entity's financial reporting, while SOC 2 addresses controls against the Trust Services Criteria such as security and availability
- SOC 1 and SOC 2 are interchangeable and cover identical control sets
- SOC 2 is a public marketing report while SOC 1 is confidential
- SOC 1 addresses security and privacy, while SOC 2 addresses only financial controls
Correct answer: SOC 1 addresses controls relevant to a user entity's financial reporting, while SOC 2 addresses controls against the Trust Services Criteria such as security and availability
SOC 1 reports concern internal controls over financial reporting that affect a user entity's financial statements, whereas SOC 2 reports address the Trust Services Criteria such as security, availability, processing integrity, confidentiality, and privacy. The reports are not interchangeable, and the financial-versus-security distinction is what separates them.
- An architect designing controls for a U.S. healthcare provider's systems must ensure the architecture protects the confidentiality, integrity, and availability of electronic protected health information. Which regulation primarily governs this obligation?
- HIPAA Security Rule
- Sarbanes-Oxley Act (SOX)
- Gramm-Leach-Bliley Act (GLBA)
- Family Educational Rights and Privacy Act (FERPA)
Correct answer: HIPAA Security Rule
The HIPAA Security Rule sets the requirements for safeguarding the confidentiality, integrity, and availability of electronic protected health information (ePHI). SOX governs financial reporting controls, GLBA covers financial institutions' protection of customer data, and FERPA protects student education records, so none of those is the primary ePHI mandate.
- An architect must ensure a public company's systems supporting financial reporting maintain integrity and auditable controls over those records. Which U.S. law most directly drives these controls?
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Children's Online Privacy Protection Act (COPPA)
- Sarbanes-Oxley Act (SOX)
Correct answer: Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX) requires public companies to maintain and attest to the effectiveness of internal controls over financial reporting, driving integrity and auditability of financial systems. HIPAA addresses health data, COPPA addresses children's online privacy, and PCI DSS is a contractual standard for cardholder data rather than a financial-reporting law.
- An architect supporting a U.S. federal agency must align the system's security program with the statutory framework requiring agencies to implement risk-based information security controls. Which law applies?
- Sarbanes-Oxley Act (SOX)
- Federal Information Security Modernization Act (FISMA)
- General Data Protection Regulation (GDPR)
- Gramm-Leach-Bliley Act (GLBA)
Correct answer: Federal Information Security Modernization Act (FISMA)
FISMA requires U.S. federal agencies to develop and implement risk-based information security programs, operationalized through NIST standards such as the RMF and SP 800-53. GLBA targets financial institutions, GDPR is an EU privacy regulation, and SOX governs public-company financial reporting, so none of those is the governing federal-agency statute.
- An architect advising a U.S. financial institution must safeguard the security and confidentiality of customer financial information and provide privacy notices. Which law most directly imposes these obligations?
- Health Insurance Portability and Accountability Act (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Federal Information Security Modernization Act (FISMA)
Correct answer: Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the security and confidentiality of customer financial information and to provide privacy notices, implemented in part through its Safeguards Rule. HIPAA covers health data, FISMA covers federal agencies, and FERPA covers education records, so they do not govern financial-customer data protection.
- An architect must address security risks introduced by hardware, software, and service suppliers across the product life cycle. Which NIST publication provides the cybersecurity supply chain risk management practices to reference?
- NIST SP 800-63
- NIST SP 800-92
- NIST SP 800-161
- NIST SP 800-115
Correct answer: NIST SP 800-161
NIST SP 800-161 provides cybersecurity supply chain risk management (C-SCRM) practices for systems and organizations, addressing supplier, product, and service risks across the life cycle. SP 800-63 covers digital identity, SP 800-115 covers security testing, and SP 800-92 covers log management, so those do not target supply-chain risk.
- In the NIST Risk Management Framework, the first step establishes essential context, roles, risk tolerance, and an organization-wide risk-management strategy before any system is categorized. Which step is this?
- Authorize
- Select
- Prepare
- Categorize
Correct answer: Prepare
The Prepare step, added in NIST SP 800-37 Revision 2, establishes context, assigns roles, defines risk tolerance, and sets an organization-wide risk-management strategy as the foundation for the rest of the RMF. Categorize, Select, and Authorize occur later and depend on the groundwork laid during Prepare.
- An architect is selecting the baseline of security and privacy controls for a federal system after categorization. Which NIST catalog provides the controls drawn upon in the RMF Select step?
- FIPS 199
- NIST SP 800-53
- NIST SP 800-30
- NIST SP 800-37
Correct answer: NIST SP 800-53
NIST SP 800-53 is the catalog of security and privacy controls from which baselines are selected during the RMF Select step. SP 800-37 defines the RMF process itself, FIPS 199 governs security categorization, and SP 800-30 provides the risk-assessment methodology, so none of those is the control catalog.
- An architect categorizes a federal information system and must assign impact levels of low, moderate, or high across confidentiality, integrity, and availability. Which standard establishes these categories?
- NIST SP 800-61
- FIPS 140-3
- FIPS 199
- NIST SP 800-88
Correct answer: FIPS 199
FIPS 199 establishes the standards for categorizing federal information and systems by potential impact (low, moderate, high) to confidentiality, integrity, and availability. FIPS 140-3 governs cryptographic module validation, SP 800-88 covers media sanitization, and SP 800-61 covers incident handling, so they do not define impact categorization.
- An architect tailors a control baseline by adding specialized controls for a system that processes industrial control data, producing a community-specific set of controls. What is this tailored, community-specific control set called?
- A compensating control
- A control exception
- An overlay
- A baseline reset
Correct answer: An overlay
An overlay is a specification of controls and tailoring tailored to a specific community of interest, technology, or environment such as industrial control systems. A compensating control substitutes for an infeasible control, a control exception is a documented deviation, and a baseline reset is not a standard tailoring construct.
- An architect cannot implement a required control as written but proposes an alternative that meets the control's intent and provides equivalent protection. What is the alternative called?
- A residual exception
- An inherent risk
- A control overlay
- A compensating control
Correct answer: A compensating control
A compensating control is an alternative safeguard implemented when the prescribed control is not feasible, and it must satisfy the intent and provide equivalent protection. Inherent risk is the pre-control risk level, a control overlay tailors a baseline to a community, and a residual exception is not a standard term for an equivalent substitute.
- An architect must distinguish a Key Risk Indicator (KRI) from a Key Performance Indicator (KPI) when designing governance dashboards. Which statement is correct?
- A KRI is a forward-looking metric signaling rising risk exposure, while a KPI measures how well an objective or process is being achieved
- A KPI can only be expressed in monetary terms while a KRI cannot
- KRIs and KPIs are identical and interchangeable in governance reporting
- A KRI measures process efficiency while a KPI predicts future losses
Correct answer: A KRI is a forward-looking metric signaling rising risk exposure, while a KPI measures how well an objective or process is being achieved
A Key Risk Indicator is a forward-looking signal that risk exposure is increasing, whereas a Key Performance Indicator measures achievement of an objective or process performance. The two are distinct rather than interchangeable, the roles are not reversed, and neither is restricted to monetary expression.
- An architect designs a defined commitment between the organization and an external service provider specifying measurable service levels such as availability and response time. Which agreement captures this?
- A Memorandum of Understanding (MOU)
- A Business Associate Agreement (BAA)
- An Operational Level Agreement (OLA)
- A Service Level Agreement (SLA)
Correct answer: A Service Level Agreement (SLA)
A Service Level Agreement (SLA) is the commitment between an organization and an external provider that defines measurable service levels such as availability and response time. An OLA governs internal-team commitments, an MOU is a non-binding statement of intent, and a BAA is a HIPAA-specific data-handling contract, so those do not specify external service levels.
- An architect needs to formalize internal commitments between supporting teams that together deliver a service backing an external SLA. Which document is appropriate?
- A Service Level Agreement (SLA)
- An Operational Level Agreement (OLA)
- An Interconnection Security Agreement (ISA)
- A Non-Disclosure Agreement (NDA)
Correct answer: An Operational Level Agreement (OLA)
An Operational Level Agreement (OLA) formalizes commitments among internal teams whose combined performance supports an externally facing SLA. An SLA is the external commitment, an NDA protects confidential information, and an ISA governs the technical and security terms of connecting two systems, so those do not cover internal inter-team delivery commitments.
- An architect must embed data-retention and disposal requirements into a system design driven by governance and regulatory obligations. What primarily determines how long a given record must be retained?
- The personal preference of the system administrator
- The default retention setting shipped with the database product
- Legal, regulatory, and business requirements applicable to that record type
- The available storage capacity of the backup system
Correct answer: Legal, regulatory, and business requirements applicable to that record type
Retention periods are determined by the legal, regulatory, and business requirements that apply to a record type, and the architecture must enforce those periods and secure disposal afterward. Storage capacity, administrator preference, and vendor defaults do not establish lawful retention obligations and must not drive retention decisions.
- An architect designs storage and processing for a global service and must address data sovereignty. What does data sovereignty primarily require the architecture to account for?
- That only the data owner's home-country laws ever apply regardless of storage location
- That data must always be encrypted with a single global key
- That data may be stored anywhere as long as it is backed up twice
- That data is subject to the laws and governance of the jurisdiction in which it is physically located
Correct answer: That data is subject to the laws and governance of the jurisdiction in which it is physically located
Data sovereignty means data is subject to the laws and governance structures of the jurisdiction where it is physically stored, so the architecture must control where data resides and which legal regimes apply. It is not satisfied by a single encryption key or duplicate backups, and storage location, not solely the owner's home country, can determine applicable law.
- An architect applies privacy by design and must distinguish it from privacy by default under GDPR principles. Which statement is correct?
- Privacy by default builds privacy into systems while privacy by design requires users to opt in
- Privacy by design applies only after a breach has occurred
- Both terms refer solely to encrypting data in transit
- Privacy by design builds privacy protections into systems from the outset, while privacy by default ensures the most privacy-protective settings apply automatically without user action
Correct answer: Privacy by design builds privacy protections into systems from the outset, while privacy by default ensures the most privacy-protective settings apply automatically without user action
Privacy by design embeds privacy protections into systems and processes from the start, while privacy by default ensures the most privacy-protective configuration is active automatically unless a user chooses otherwise. The reversed definition is wrong, the principles extend well beyond encryption in transit, and they apply proactively rather than only after a breach.
- An architect establishes governance oversight for the security program and must place ultimate accountability for the program. In a sound governance model, where does ultimate accountability for information security rest?
- With the board and senior executive leadership
- With the external auditors who certify the program
- With individual end users following acceptable-use policies
- With the security operations center analysts
Correct answer: With the board and senior executive leadership
Ultimate accountability for information security rests with the board and senior executive leadership, who set risk appetite, approve strategy, and own governance outcomes. SOC analysts execute operations, external auditors provide independent assurance rather than ownership, and end users have responsibilities but not ultimate organizational accountability.
- An architect must explain why governance functions such as audit and risk reporting should remain organizationally independent from the operational teams they assess. What is the primary reason?
- To eliminate the need for any external audit
- To reduce headcount by combining the two functions
- To preserve objectivity and avoid conflicts of interest where teams would otherwise assess their own work
- To allow operations staff to approve their own control exceptions faster
Correct answer: To preserve objectivity and avoid conflicts of interest where teams would otherwise assess their own work
Separating governance and assurance functions from operations preserves objectivity and prevents the conflict of interest that arises when a team evaluates its own work. The goal is independent oversight, not reduced headcount, faster self-approval of exceptions, or elimination of external audit.
- An architect must select a governance and management framework that aligns IT and security objectives with enterprise goals and provides governance and management objectives across the IT life cycle. Which framework fits this enterprise IT-governance purpose?
- COBIT
- NIST SP 800-88
- PCI DSS
- STRIDE
Correct answer: COBIT
COBIT is an enterprise framework for the governance and management of information and technology, aligning IT and security objectives with business goals across governance and management objectives. PCI DSS is a cardholder-data control standard, SP 800-88 covers media sanitization, and STRIDE is a threat-modeling method, so none of those serves as the enterprise IT-governance framework.
- An architect maintains a risk register for ongoing governance. Which set of elements should each risk-register entry contain at minimum?
- Only the date the system was last patched
- Risk description, likelihood, impact, owner, and chosen treatment
- Only the dollar value of the asset at risk
- Only the name of the vendor that supplied the system
Correct answer: Risk description, likelihood, impact, owner, and chosen treatment
A risk-register entry should capture, at minimum, the risk description, its likelihood and impact, an assigned owner, and the chosen treatment so governance can track and act on it over time. A single data point such as asset value, vendor name, or patch date is insufficient to manage and monitor a risk.
- An architect must advise leadership on a risk whose likelihood is low but whose impact would be catastrophic, exceeding any cost-effective mitigation, for an activity the business considers essential. Which combined treatment is most defensible?
- Accept the full catastrophic exposure with no further action
- Avoid the risk by terminating the essential business activity
- Mitigate to the extent cost-effective and transfer the remaining catastrophic exposure, for example through insurance
- Ignore the risk because its likelihood is low
Correct answer: Mitigate to the extent cost-effective and transfer the remaining catastrophic exposure, for example through insurance
For an essential activity with low-likelihood but catastrophic impact, the defensible approach is to mitigate where cost-effective and transfer the residual catastrophic exposure (for example via insurance), since the activity cannot simply be terminated. Avoidance is not viable for an essential function, and blanket acceptance or ignoring the risk leaves catastrophic exposure unmanaged.
- An architect must determine, before designing recovery capabilities, which business processes are most critical and what their recovery requirements are. Which governance activity provides this prioritized input?
- Business Impact Analysis (BIA)
- Single loss expectancy calculation
- Penetration test
- Static application security testing
Correct answer: Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) identifies critical processes and their dependencies and determines recovery requirements such as MTD, RTO, and RPO that drive continuity and recovery design. A penetration test evaluates exploitability, an SLE calculation values a single loss event, and static application testing inspects code, so none of those produces the prioritized continuity requirements.
- An ISSAP candidate is asked to define the trusted computing base (TCB) for a server platform. Which description most accurately captures what the TCB is?
- The single most privileged user account configured on the operating system
- The totality of protection mechanisms (hardware, firmware, and software) that work together to enforce the system's security policy
- The collection of antivirus and endpoint detection agents installed on the host
- The physically locked data-center cage that houses the server
Correct answer: The totality of protection mechanisms (hardware, firmware, and software) that work together to enforce the system's security policy
The trusted computing base is the totality of protection mechanisms within a system, spanning hardware, firmware, and software, that combine to enforce the security policy. A privileged account, endpoint agents, or a physical cage are individual components or controls, not the aggregate of trust-enforcing mechanisms the TCB describes.
- A security architect is documenting the reference monitor concept for a new operating-system design. Which set of properties must the reference monitor satisfy?
- It must be fast, redundant, and load-balanced
- It must mediate all access, be tamperproof, and be verifiable (small enough to be analyzed and tested)
- It must be open-source, peer-reviewed, and licensed
- It must be encrypted, signed, and air-gapped
Correct answer: It must mediate all access, be tamperproof, and be verifiable (small enough to be analyzed and tested)
The reference monitor is an abstract machine that must mediate every access by subjects to objects, be tamperproof (protected from modification), and be verifiable, meaning small and simple enough to be completely analyzed and tested. Performance, redundancy, encryption, and licensing characteristics are not the defining requirements of the reference monitor concept.
- What is the relationship between the reference monitor and the security kernel?
- The security kernel is the hardware, firmware, and software that implements the reference monitor concept
- They are unrelated; the reference monitor is hardware and the security kernel is policy
- The reference monitor is a subset of the security kernel's logging subsystem
- The security kernel replaces the reference monitor in modern microkernel designs
Correct answer: The security kernel is the hardware, firmware, and software that implements the reference monitor concept
The security kernel is the hardware, firmware, and software elements of the trusted computing base that actually implement the abstract reference monitor concept. The reference monitor is the conceptual model (mediate all access, tamperproof, verifiable); the security kernel is its concrete realization, so they are tightly related rather than unrelated or substitutive.
- During a design review, an architect must explain why the security kernel is deliberately kept small. What is the primary rationale?
- A small kernel consumes less disk space in the boot partition
- A small, simple kernel can be completely analyzed, tested, and verified to be correct
- A small kernel is easier to translate into other languages
- A smaller kernel runs faster on legacy hardware
Correct answer: A small, simple kernel can be completely analyzed, tested, and verified to be correct
Keeping the security kernel small directly serves the reference monitor's verifiability requirement: a compact, simple body of code can be exhaustively analyzed and tested for correctness, which is impractical for a large, complex code base. Speed, disk footprint, and translation are not the security-driven reasons for minimizing the kernel.
- In the reference monitor model, which property specifically guarantees that the access-mediation mechanism cannot be altered by an attacker?
- Completeness
- Verifiability
- Availability
- Tamperproof
Correct answer: Tamperproof
The tamperproof property ensures the reference monitor is protected from all unauthorized modification so the mediation logic stays intact. Completeness (always invoked) ensures it is never bypassed, verifiability ensures it can be tested as correct, and availability is not one of the three defining reference-monitor properties.
- A medical-device vendor states its product was evaluated to EAL4 under Common Criteria (ISO/IEC 15408). What does the EAL primarily communicate to an architect selecting the product?
- A guarantee that the product is free of all defects
- The level of assurance (rigor of evaluation) that the security functions work as claimed, not the absolute strength of the functions
- The maximum throughput the device can sustain under load
- The number of vulnerabilities remaining in the product
Correct answer: The level of assurance (rigor of evaluation) that the security functions work as claimed, not the absolute strength of the functions
An Evaluation Assurance Level expresses how rigorously the target of evaluation was examined, giving confidence that its security functions behave as specified; it is a measure of assurance, not of intrinsic strength or defect-freedom. A higher EAL means deeper documentation, analysis, and testing, but it does not promise zero vulnerabilities or describe performance.
- Two firewalls are evaluated under Common Criteria: one at EAL2 and one at EAL5. Assuming identical claimed security functions, what is the correct interpretation?
- The EAL2 product has fewer features than the EAL5 product
- The EAL5 product was evaluated with greater rigor (semi-formal design methods), giving higher assurance the claims hold
- The two ratings are interchangeable and convey no meaningful difference
- The EAL5 product is faster than the EAL2 product
Correct answer: The EAL5 product was evaluated with greater rigor (semi-formal design methods), giving higher assurance the claims hold
A higher EAL reflects more demanding evaluation requirements; EAL5 adds semi-formal design and analysis beyond EAL2's structurally tested level, yielding greater confidence the claimed functions are correctly implemented. EAL says nothing about speed or feature count, and the levels are not interchangeable.
- Under Common Criteria, what is the meaning of the highest level, EAL7?
- The product carries the longest warranty period
- The product's design is formally verified and mathematically proven correct, reserved for the most critical components
- The product has passed a one-time penetration test
- The product has been functionally tested only
Correct answer: The product's design is formally verified and mathematically proven correct, reserved for the most critical components
EAL7, formally verified design and tested, requires full formal modeling of the design and mathematical proof of correctness, and is used only for the most critical (often defense or cryptographic) components. Functional-only testing is EAL1, and a single penetration test or warranty length has no bearing on the EAL designation.
- An enterprise security architecture program is being established to align security with business strategy across the organization. Which statement best defines enterprise security architecture?
- The configuration baseline for a single application server
- A discipline that translates business strategy and risk into a coherent, layered set of security capabilities, standards, and patterns across the enterprise
- A catalog of approved firewall and antivirus products
- The incident-response call tree for the security operations center
Correct answer: A discipline that translates business strategy and risk into a coherent, layered set of security capabilities, standards, and patterns across the enterprise
Enterprise security architecture is the practice of translating business strategy and risk appetite into an integrated, layered structure of security capabilities, principles, standards, and reusable patterns spanning the whole organization. A product catalog, a single server baseline, or a call tree are narrow artifacts, not the enterprise-wide architectural discipline.
- What is the central, distinguishing characteristic of the SABSA framework compared with most other architecture approaches?
- It is a real-time intrusion-detection methodology
- It is a list of mandatory cryptographic algorithms
- It is a vendor-specific product reference design
- It is business-driven, deriving security requirements from business goals and risk rather than from technology
Correct answer: It is business-driven, deriving security requirements from business goals and risk rather than from technology
SABSA (Sherwood Applied Business Security Architecture) is fundamentally business-driven: it starts from business goals and risk and traces them down through architectural layers to implementation and operation. It is not vendor-specific, an algorithm list, or a detection methodology, which are common misconceptions.
- The SABSA matrix is formed by intersecting its architecture layers with a set of guiding questions. Which questions form the columns of the SABSA matrix?
- Plan, do, check, and act
- Confidentiality, integrity, availability, and accountability
- What, why, how, who, where, and when
- Identify, protect, detect, respond, and recover
Correct answer: What, why, how, who, where, and when
The SABSA matrix intersects its six layers with the six interrogatives What, Why, How, Who, Where, and When, producing a grid of architecture concerns. The CIA triad, the PDCA cycle, and the NIST CSF functions are different models and do not define the SABSA matrix columns.
- In the SABSA layered model, which layer represents the business view, capturing what the organization needs to protect and why it matters?
- The physical layer
- The logical layer
- The contextual layer
- The component layer
Correct answer: The contextual layer
The contextual layer is the business view in SABSA, defining the assets, drivers, and risks the organization must address and why they matter. The logical layer specifies required security services, the physical layer covers implementing technologies, and the component layer addresses specific products and configurations.
- Within SABSA, which layer spans and supports all the other layers to handle day-to-day management and maintenance of the security architecture?
- The contextual layer
- The logical layer
- The conceptual layer
- The operational security architecture layer
Correct answer: The operational security architecture layer
The operational security architecture layer cuts across all SABSA layers and addresses the ongoing management, monitoring, and maintenance needed to keep the architecture effective in practice. The conceptual, contextual, and logical layers each occupy a single horizontal level rather than spanning the others.
- An architect maps SABSA's logical layer to the matrix question 'How.' What does this intersection most directly describe?
- The business risks driving the requirement
- The physical data-center location
- The names of the responsible executives
- The security services and mechanisms (the how) needed to deliver the required protection at the logical level
Correct answer: The security services and mechanisms (the how) needed to deliver the required protection at the logical level
At the logical layer, the 'How' column captures the security services and mechanisms required to satisfy the conceptual policies, such as authentication or authorization services. The 'Why' column captures business risk drivers, 'Where' captures location, and 'Who' captures roles, so those map to different cells of the matrix.
- A CISO must choose between SABSA and TOGAF for an initiative. Which comparison is most accurate?
- SABSA is a security-specific, risk-driven framework while TOGAF is a general enterprise-architecture framework; they are complementary and often integrated
- SABSA and TOGAF cannot be used together under any circumstances
- TOGAF is security-only and SABSA is business-only
- Both are purely technical configuration standards
Correct answer: SABSA is a security-specific, risk-driven framework while TOGAF is a general enterprise-architecture framework; they are complementary and often integrated
SABSA is a security-focused, business-risk-driven framework, whereas TOGAF is a broad enterprise-architecture methodology centered on the Architecture Development Method; the two are complementary and are frequently combined so security is embedded in enterprise architecture. They are not mutually exclusive, and neither is a mere configuration standard.
- How does the TOGAF Architecture Development Method (ADM) best accommodate security architecture?
- By replacing the ADM phases with the SABSA matrix
- By embedding security as a cross-cutting concern integrated throughout the ADM phases
- By limiting security to the technology architecture phase only
- By treating security as a separate project run after the ADM completes
Correct answer: By embedding security as a cross-cutting concern integrated throughout the ADM phases
TOGAF treats security as a cross-cutting concern woven through every ADM phase so that security requirements shape business, data, application, and technology architectures alike. Confining security to one phase or deferring it until the method finishes leaves the architecture exposed and is contrary to TOGAF guidance.
- An architect adopts the Zachman Framework to organize enterprise architecture artifacts, including security. What does the Zachman Framework fundamentally provide?
- A cloud reference architecture with specific services
- A prescriptive sequence of security controls to deploy
- A two-dimensional classification schema (ontology) of stakeholder perspectives crossed with interrogatives
- A penetration-testing methodology
Correct answer: A two-dimensional classification schema (ontology) of stakeholder perspectives crossed with interrogatives
The Zachman Framework is an ontology: a matrix that classifies architecture descriptions by stakeholder perspective (its rows) against the interrogatives what, how, where, who, when, and why (its columns). It is descriptive and organizing, not a prescriptive control list, a testing method, or a cloud blueprint, so security artifacts are placed within its cells rather than dictated by it.
- When applying the Zachman Framework to security, why is it described as a schema rather than a methodology?
- Because it classifies and organizes architecture descriptions but does not prescribe a process for producing them
- Because it tells architects exactly which steps to perform in order
- Because it is only used for database design
- Because it generates threat models automatically
Correct answer: Because it classifies and organizes architecture descriptions but does not prescribe a process for producing them
Zachman is a classification schema: it provides cells for organizing architecture artifacts by perspective and interrogative but is silent on the process used to create them, which is why it pairs well with methodologies like TOGAF's ADM. It does not dictate ordered steps, restrict itself to databases, or automate threat modeling.
- An architect is articulating secure design principles for a new platform. Saltzer and Schroeder's 'economy of mechanism' principle states that designs should be:
- As small and simple as possible so they can be analyzed and are less likely to contain flaws
- As feature-rich as possible to anticipate every need
- Hidden from users to prevent reverse engineering
- Distributed across as many components as possible
Correct answer: As small and simple as possible so they can be analyzed and are less likely to contain flaws
Economy of mechanism holds that the protection design should be kept small and simple, because errors creating unwanted access paths are easier to find and avoid in simple designs. Feature maximization, secrecy of design, and forced distribution run counter to this principle of simplicity.
- A design team debates default behavior for a new authorization subsystem. Applying the 'fail-safe defaults' secure design principle, the architecture should:
- Deny access by default and grant only on explicit permission
- Allow access during errors to preserve availability
- Grant access unless an explicit denial rule exists
- Base access on the user's seniority by default
Correct answer: Deny access by default and grant only on explicit permission
Fail-safe defaults base access decisions on explicit permission rather than exclusion, so the absence of an explicit grant results in denial. Defaulting to allow, failing open during errors, or using seniority as an implicit grant all violate the principle by permitting access that was never explicitly authorized.
- Which secure design principle emphasizes that protection mechanisms must be easy enough to use that people apply them correctly without circumventing them?
- Least common mechanism
- Separation of privilege
- Complete mediation
- Psychological acceptability
Correct answer: Psychological acceptability
Psychological acceptability requires the human interface to security to be designed for ease of use so that users routinely and correctly apply protections rather than bypassing them. Least common mechanism, separation of privilege, and complete mediation are valid Saltzer-Schroeder principles but address shared resources, multi-condition access, and per-access checking respectively.
- An architect wants a system whose security does not depend on attackers being unaware of how the mechanism works. Which secure design principle and which anti-pattern are in tension here?
- Open design versus security through obscurity
- Least privilege versus separation of duties
- Complete mediation versus fail-open
- Defense in depth versus single point of failure
Correct answer: Open design versus security through obscurity
The open design principle states that security should rest on the protection of keys and credentials, not on secrecy of the mechanism, directly opposing security through obscurity. The other pairings describe different, unrelated trade-offs and do not capture the secrecy-of-mechanism debate.
- An architect designs a layered control strategy so that the failure of any single safeguard does not lead to compromise. This strategy is best described as:
- Security through obscurity
- Single sign-on
- Defense in depth
- Fail-open design
Correct answer: Defense in depth
Defense in depth layers multiple, independent controls so that if one fails, others still protect the asset, reducing reliance on any single safeguard. Single sign-on is an authentication convenience, security through obscurity hides design details, and fail-open weakens rather than strengthens layered protection.
- A reviewer challenges a 'defense in depth' design that uses three different vendors' firewalls in series but identical configurations and signatures. What is the most valid critique?
- Identical logic across layers reduces diversity, so a single weakness can defeat all layers at once
- Defense in depth requires exactly two layers, never three
- Layering is always wasteful and should be removed
- Multiple vendors automatically guarantee complete protection
Correct answer: Identical logic across layers reduces diversity, so a single weakness can defeat all layers at once
Effective defense in depth relies on diversity so that distinct layers fail independently; if every layer shares the same logic or signatures, one bypass technique can defeat all of them, undermining the strategy. Layering is not inherently wasteful, there is no fixed layer count, and merely using multiple vendors does not guarantee protection without genuine control diversity.
- A security architect is designing a high-assurance system and must decide where to place the most security-critical functions. Following sound architecture practice, these functions should be:
- Delegated entirely to third-party libraries
- Implemented only in the user-interface layer
- Spread evenly across all application modules to share responsibility
- Concentrated within a small, well-defined trusted computing base that can be rigorously verified
Correct answer: Concentrated within a small, well-defined trusted computing base that can be rigorously verified
Concentrating security-critical functions in a small, well-defined TCB lets the protection mechanisms be rigorously analyzed and verified, consistent with the reference monitor's verifiability goal. Scattering critical logic everywhere, confining it to the UI, or fully outsourcing it to libraries enlarges and obscures the trust boundary, making assurance far harder.
- In a layered (ring) protection architecture, what is the security purpose of placing the operating-system kernel in the innermost, most privileged ring?
- To allow any application to call kernel functions without checks
- To isolate the most trusted code and prevent less-trusted outer-ring code from directly manipulating critical resources
- To make the kernel render graphics faster
- To reduce the amount of memory the kernel uses
Correct answer: To isolate the most trusted code and prevent less-trusted outer-ring code from directly manipulating critical resources
Protection rings place the most trusted code in the innermost ring and enforce controlled gates so less-privileged outer rings cannot directly access or alter critical resources, preserving the integrity of the trusted base. The model is about isolation and mediated transitions, not graphics performance, unrestricted calls, or memory savings.
- An architect is selecting a state-machine-based confidentiality model for a defense system that must prevent information from flowing to lower classification levels. Which model and rule apply?
- Brewer-Nash, with dynamic conflict-of-interest classes
- Bell-LaPadula, with the star property (no write down)
- Clark-Wilson, with well-formed transactions
- Biba, with the no-read-down rule
Correct answer: Bell-LaPadula, with the star property (no write down)
Bell-LaPadula enforces confidentiality, and its star (*) property forbids writing down, preventing a subject at a higher level from leaking data to a lower classification. Biba is an integrity model, Clark-Wilson addresses transaction integrity, and Brewer-Nash addresses conflicts of interest, none of which is the confidentiality no-write-down rule.
- A commercial bank needs an integrity model whose goal is to prevent unauthorized users from making modifications and to maintain internal and external consistency. Which formal model addresses this with its no-write-up and no-read-down rules?
- Take-Grant
- Bell-LaPadula
- Graham-Denning
- Biba
Correct answer: Biba
The Biba model targets integrity using the simple integrity property (no read down) and the star integrity property (no write up) to prevent contamination from lower-integrity sources. Bell-LaPadula protects confidentiality, while Graham-Denning and Take-Grant describe rights-transfer operations rather than the integrity rules described.
- An architect must justify the difference between a reference architecture and a solution architecture to stakeholders. Which statement is correct?
- A reference architecture is a reusable, generally technology-agnostic template that guides many specific solution architectures
- The two terms are synonyms with no practical distinction
- A solution architecture is more abstract than a reference architecture
- A reference architecture is a deployable, product-specific configuration for one system
Correct answer: A reference architecture is a reusable, generally technology-agnostic template that guides many specific solution architectures
A reference architecture provides reusable, typically technology-agnostic patterns and templates that inform many concrete designs, while a solution architecture is the specific, deployable design derived from it. The reference architecture is the more abstract artifact, and the two are not synonyms.
- An architect models threats for a web service and classifies the risk that a user later denies performing an action they actually performed. In STRIDE, this maps to which category, and which control best counters it?
- Repudiation, countered by secure, attributable audit logging and digital signatures
- Spoofing, countered by encryption
- Denial of service, countered by rate limiting
- Information disclosure, countered by access control
Correct answer: Repudiation, countered by secure, attributable audit logging and digital signatures
Denial of having performed an action is Repudiation in STRIDE, best countered by tamper-resistant audit logs tied to authenticated identities and, where needed, digital signatures providing non-repudiation. Spoofing concerns identity forgery, denial of service concerns availability, and information disclosure concerns confidentiality, so their controls address different threats.
- During threat modeling, an architect uses a methodology that aligns the analysis with business objectives through a risk-centric, seven-stage process. Which methodology is this?
- CVSS
- PASTA (Process for Attack Simulation and Threat Analysis)
- DREAD
- STRIDE
Correct answer: PASTA (Process for Attack Simulation and Threat Analysis)
PASTA is a risk-centric, seven-stage threat-modeling methodology that ties technical threat analysis to business impact and objectives. STRIDE is a threat-category taxonomy, DREAD is a risk-rating scheme, and CVSS scores vulnerability severity rather than providing a staged threat-modeling process.
- An architect produces several architectural views (business, information, application, and technology) of the same system. What is the primary reason for maintaining multiple views?
- To hide the design from competitors
- To present the architecture at the abstraction and concerns relevant to each stakeholder group
- Because regulations require precisely four views
- To inflate documentation for audits
Correct answer: To present the architecture at the abstraction and concerns relevant to each stakeholder group
Multiple architectural views let each stakeholder group engage with the system at the level of abstraction and the concerns that matter to them, improving communication and decisions. The practice is not about documentation volume, concealment, or a mandated count of views.
- A security architect needs to dynamically restrict access so that once a consultant accesses one client's data within a conflict-of-interest class, they are barred from competing clients' data in that class. Which model fits?
- Bell-LaPadula
- Clark-Wilson
- Brewer-Nash (Chinese Wall)
- Biba
Correct answer: Brewer-Nash (Chinese Wall)
The Brewer-Nash, or Chinese Wall, model uses the history of prior accesses to dynamically prevent a subject from reaching data that conflicts with what they have already accessed, ideal for managing consultant conflicts of interest. Bell-LaPadula and Biba use static levels for confidentiality and integrity, and Clark-Wilson focuses on transaction integrity, not conflict-of-interest separation.
- An organization wants to benchmark and incrementally improve the maturity of its security architecture capabilities over time. Which type of model is designed for this purpose?
- A cryptographic key hierarchy
- An access control matrix
- A capability maturity model
- A data flow diagram
Correct answer: A capability maturity model
A capability maturity model provides a structured way to assess the current maturity of security capabilities, benchmark them, and plan staged improvement. A data flow diagram supports threat modeling, a key hierarchy organizes cryptographic keys, and an access control matrix maps subjects to object permissions, none of which measure maturity.
- An architect applies the secure design principle of 'complete mediation' to an authorization service. What does this require?
- Delegating all checks to the client application
- Checking every access to every object against the authorization policy each time it occurs
- Authorizing only the first request in a session
- Caching the first authorization decision and reusing it indefinitely
Correct answer: Checking every access to every object against the authorization policy each time it occurs
Complete mediation requires that every access to every object be checked for authority on each request, rather than relying on cached or stale decisions. Reusing a single decision, authorizing only once per session, or trusting the client all create bypass opportunities that violate the principle.
- A security model represents subjects, objects, and the operations each subject may perform on each object as a grid. What is this representation called, and what is its modeling value?
- An access control matrix, useful for explicitly modeling all subject-object permissions
- A Bell-LaPadula lattice, useful for confidentiality only
- A SABSA matrix, useful for business alignment
- A STRIDE chart, useful for threat categorization
Correct answer: An access control matrix, useful for explicitly modeling all subject-object permissions
An access control matrix is a conceptual grid mapping subjects to objects with the permitted operations in each cell, providing an explicit model of who may do what to which resource. A confidentiality lattice, a STRIDE threat taxonomy, and the SABSA business matrix serve different modeling purposes and are not the subject-object permission grid.
- In the Common Criteria, an architect writes a document describing the security requirements and operational environment for a specific product to be evaluated. What is this document called?
- A Protection Profile
- A Security Target
- A Statement of Applicability
- A System Security Plan
Correct answer: A Security Target
A Security Target is the implementation-specific document that defines the security requirements and assumptions for a particular target of evaluation under Common Criteria. A Protection Profile is the implementation-independent statement of requirements for a category of products, while a System Security Plan and Statement of Applicability belong to other frameworks (NIST and ISO 27001).
- An architect contrasts a Protection Profile with a Security Target in Common Criteria. Which distinction is correct?
- They are identical documents with different names
- A Protection Profile is product-specific; a Security Target is generic
- A Protection Profile is an implementation-independent set of requirements for a product type; a Security Target describes a specific product's claims
- A Security Target sets the EAL while a Protection Profile sets the price
Correct answer: A Protection Profile is an implementation-independent set of requirements for a product type; a Security Target describes a specific product's claims
A Protection Profile defines security requirements independent of any single implementation for a class of products, whereas a Security Target ties those requirements to a specific product undergoing evaluation. The two are not identical, the Protection Profile is the generic one, and neither document sets pricing.
- An architect is choosing between RBAC and ABAC for a system whose access decisions must consider time of day, device posture, and data sensitivity at request time. Which model is the better architectural fit and why?
- ABAC, because it evaluates policies over subject, resource, action, and environmental attributes dynamically
- MAC, because fixed labels handle dynamic context
- RBAC, because roles can encode every possible condition
- DAC, because owners can decide each case manually
Correct answer: ABAC, because it evaluates policies over subject, resource, action, and environmental attributes dynamically
Attribute-based access control evaluates policy over attributes of the subject, resource, action, and environment, making it well suited to dynamic, context-rich decisions such as time, device posture, and sensitivity. RBAC's static roles cannot scale to every contextual permutation without role explosion, DAC relies on manual owner discretion, and MAC's fixed labels are not designed for fluid contextual conditions.
- A security architecture model uses a lattice of security labels with a dominance relationship to control information flow. What is the primary purpose of this lattice-based model?
- To schedule batch jobs by priority
- To compress audit logs
- To define a partial ordering of security levels so flows are permitted only in allowed directions
- To allocate network bandwidth
Correct answer: To define a partial ordering of security levels so flows are permitted only in allowed directions
A lattice-based access control model arranges security labels in a partial ordering with a dominance relation, ensuring information flows only in directions permitted by the policy (the basis underlying models like Bell-LaPadula). It is not a job scheduler, bandwidth allocator, or log-compression scheme.
- An architect must articulate the difference between security architecture (what the design enforces) and security policy (what must be enforced). Which statement is most accurate?
- They are the same thing expressed differently
- Architecture precedes and dictates policy
- Policy states the security objectives and rules; architecture is the structured design that realizes them
- Policy is the technical implementation; architecture is the high-level intent
Correct answer: Policy states the security objectives and rules; architecture is the structured design that realizes them
Security policy expresses the objectives and rules that must hold, while the security architecture is the structured design and arrangement of mechanisms that realizes and enforces that policy. Policy is intent rather than implementation, the two are not identical, and policy normally drives architecture rather than the reverse.
- When using a data flow diagram for threat modeling, what is the modeling significance of a trust boundary?
- It marks where data crosses between zones of differing trust, signaling where validation and controls are required
- It indicates the physical rack location of a server
- It marks the maximum bandwidth of a connection
- It shows the encryption algorithm used on a link
Correct answer: It marks where data crosses between zones of differing trust, signaling where validation and controls are required
A trust boundary on a data flow diagram identifies points where data or control passes between zones of differing trust, highlighting exactly where authentication, validation, or other controls must be enforced. It is not a measure of bandwidth, a physical location marker, or an indicator of a specific algorithm.
- An architect adopts a 'secure by design' approach for a new platform. Which practice most directly embodies this philosophy at the modeling stage?
- Identifying and mitigating threats during architecture and design, before code is written
- Relying on a perimeter firewall to cover all weaknesses
- Deferring all security decisions to the operations team post-launch
- Adding security controls only after penetration testing finds gaps
Correct answer: Identifying and mitigating threats during architecture and design, before code is written
Secure by design means threats are identified and mitigated during architecture and design, when changes are cheapest and most effective, rather than bolted on later. Waiting for penetration tests, leaning on a single perimeter control, or deferring to operations after launch are reactive approaches that contradict designing security in from the start.
- An architect is selecting an evaluation approach and notes that Common Criteria assurance is tied to a defined scope of the product under review. What is this scope called?
- The Target of Evaluation (TOE)
- The Security Perimeter
- The Control Baseline
- The Trusted Path
Correct answer: The Target of Evaluation (TOE)
The Target of Evaluation (TOE) is the specific product or system, with its documentation, that is subject to Common Criteria evaluation. A trusted path is a protected communication channel, a security perimeter is a network boundary, and a control baseline is a NIST concept, so none of those define the evaluated scope.
- A security model defines a set of primitive protection rights such as create object, create subject, delete, read, grant, transfer, and delete rights, focusing on how rights are securely assigned and revoked. Which formal model is this?
- Clark-Wilson
- Graham-Denning
- Brewer-Nash
- Bell-LaPadula
Correct answer: Graham-Denning
The Graham-Denning model defines a set of primitive protection commands governing how subjects and objects are created and deleted and how access rights are securely granted, transferred, and revoked. Bell-LaPadula and Clark-Wilson address confidentiality and transaction integrity respectively, and Brewer-Nash addresses conflict-of-interest separation, rather than the management of protection rights.
- An architect is modeling the protection mechanism that mediates every access between subjects and objects in a high-assurance operating system. To satisfy the reference monitor concept, the reference validation mechanism must meet three properties. Which set correctly states all three?
- It must enforce least privilege, separate duties, and rotate credentials
- It must be patched monthly, signed by the vendor, and logged to a SIEM
- It must be always invoked (complete mediation), tamperproof, and small enough to be fully analyzed and verified
- It must be encrypted at rest, replicated for high availability, and load-balanced across nodes
Correct answer: It must be always invoked (complete mediation), tamperproof, and small enough to be fully analyzed and verified
The three reference monitor properties are that the mechanism is always invoked (complete mediation over every access), tamperproof (cannot be modified or bypassed), and verifiable (small and simple enough to be subjected to complete analysis and testing). NIST and the historical TCSEC define the reference monitor as an abstract machine enforcing the access control policy over all subjects and objects, and the security kernel is the hardware, firmware, and software of the trusted computing base (TCB) that actually implements that concept. The availability, patching, and credential-management options describe sound operational or IAM practices but are not the defining requirements of a reference validation mechanism.
- An architect must select a cryptographic device that secures keys at the enterprise level, performs high-volume signing for a certificate authority, and is shared as a network appliance across many servers. Which device fits this role?
- A USB flash drive holding the exported private keys
- A hardware security module (HSM) deployed as a network-attached appliance
- A trusted platform module (TPM) soldered to each server motherboard
- A software keystore file protected by an operating-system password
Correct answer: A hardware security module (HSM) deployed as a network-attached appliance
A hardware security module is the right choice: HSMs operate at the network or system level, can be network-attached and shared across many servers, and accelerate high-volume cryptographic operations such as CA signing. A TPM is a device-level chip bound to one endpoint, and software keystores or USB drives expose keys in extractable form.
- A security architect is comparing an HSM and a TPM for a workstation full-disk encryption design and an enterprise key-management design. Which statement correctly distinguishes the two?
- An HSM and a TPM are interchangeable terms for the same hardware
- An HSM provides centralized, high-throughput enterprise key services, while a TPM is an embedded chip providing a per-device hardware root of trust
- A TPM can perform faster bulk cryptographic operations than any HSM
- A TPM is a removable network appliance, while an HSM is embedded in the motherboard
Correct answer: An HSM provides centralized, high-throughput enterprise key services, while a TPM is an embedded chip providing a per-device hardware root of trust
The correct distinction is that an HSM delivers centralized, high-throughput enterprise key management while a TPM is an embedded chip giving a single device a hardware root of trust (used for disk encryption and platform attestation). TPMs are device-bound and limited in throughput and key types, whereas HSMs are typically external, shareable, and far faster for bulk operations.
- An architect needs equivalent cryptographic strength to RSA-3072 but with smaller keys to reduce TLS handshake cost on constrained IoT devices. Which choice meets the goal?
- A 512-bit RSA key
- A 256-bit elliptic curve key (e.g., P-256)
- A 1024-bit RSA key
- A 128-bit symmetric AES key used as the asymmetric key
Correct answer: A 256-bit elliptic curve key (e.g., P-256)
A 256-bit elliptic curve key is correct: per NIST, ECC P-256 provides roughly 128-bit security strength comparable to RSA-3072 but with a far smaller key, lowering computation and bandwidth on constrained devices. A 1024-bit RSA key is weaker (about 80-bit strength), and a symmetric AES key cannot serve as an asymmetric key.
- Why does elliptic curve cryptography achieve the same security level as RSA with substantially smaller keys?
- It relies on keeping the algorithm secret from attackers
- Its security rests on the hardness of the elliptic curve discrete logarithm problem, which scales more favorably than integer factorization
- It uses larger blocks than RSA so fewer rounds are needed
- It encrypts data multiple times in sequence
Correct answer: Its security rests on the hardness of the elliptic curve discrete logarithm problem, which scales more favorably than integer factorization
ECC's efficiency comes from the elliptic curve discrete logarithm problem: there is no known sub-exponential attack against it, so strength grows faster per bit than RSA's integer factorization. That is why a 256-bit ECC key matches roughly RSA-3072. ECC's strength does not depend on algorithm secrecy.
- In a public key infrastructure, which component is responsible for verifying the identity of a certificate applicant before a certificate is issued, without itself signing certificates?
- The validation authority running OCSP
- The registration authority (RA)
- The certificate authority (CA)
- The certificate revocation list (CRL) distribution point
Correct answer: The registration authority (RA)
The registration authority is correct: the RA vets and verifies the identity of applicants and forwards approved requests, but it does not sign certificates. The certificate authority is the trust anchor that actually signs and issues certificates after the RA validates identity.
- An architect is documenting the core building blocks of a PKI for a design review. Which set best represents the essential PKI components?
- Certificate authority, registration authority, certificate repository/directory, and revocation mechanism
- DNS, DHCP, NTP, and LDAP
- Router, switch, proxy, and VPN concentrator
- Firewall, IDS, SIEM, and load balancer
Correct answer: Certificate authority, registration authority, certificate repository/directory, and revocation mechanism
The certificate authority, registration authority, repository/directory, and revocation mechanism are the essential PKI components: the CA issues certificates, the RA verifies identities, the repository publishes certificates and status, and the revocation mechanism (CRL/OCSP) communicates which certificates are no longer trusted. Network devices like firewalls and routers are infrastructure, not PKI components.
- A stakeholder asks the architect to explain, in one sentence, what a public key infrastructure actually provides. Which description is most accurate?
- A framework of policies, roles, hardware, and software that creates, manages, distributes, and revokes digital certificates binding public keys to identities
- A protocol that encrypts all network traffic by default
- A method for generating one-time passwords for multifactor authentication
- A single server that stores everyone's passwords securely
Correct answer: A framework of policies, roles, hardware, and software that creates, manages, distributes, and revokes digital certificates binding public keys to identities
PKI is correctly defined as the framework of policies, roles, hardware, and software that issues, manages, distributes, and revokes digital certificates binding public keys to verified identities. It is not a traffic-encryption protocol or a password store; those are separate functions that PKI may support.
- An architect is designing the trust hierarchy and certificate-management policy for a new enterprise PKI. Which document defines the overarching requirements that govern how certificates are issued and managed across the hierarchy?
- The TLS cipher suite list
- The certificate policy (CP), supported by certification practice statements (CPS)
- The certificate revocation list
- The OCSP responder configuration
Correct answer: The certificate policy (CP), supported by certification practice statements (CPS)
The certificate policy, with supporting certification practice statements, is correct: the CP defines the rules and assurance requirements for certificate use and management, while each CA's CPS describes how it implements those rules. A CRL and OCSP config are operational status artifacts, not governing policy.
- A relying party needs to confirm that a presented certificate has not been revoked by downloading a CA-signed, periodically published list of revoked serial numbers. Which mechanism is being used?
- Certificate Transparency log
- Certificate revocation list (CRL)
- Certificate signing request (CSR)
- Online Certificate Status Protocol (OCSP)
Correct answer: Certificate revocation list (CRL)
A certificate revocation list is correct: a CRL is a CA-signed file enumerating the serial numbers of certificates revoked before expiration, which relying parties download and check locally. OCSP performs real-time per-certificate queries rather than distributing a full list, and a CSR is an issuance request.
- An architect must choose between CRL and OCSP for certificate-status checking in a latency-sensitive, privacy-conscious design. Which trade-off is described correctly?
- OCSP downloads a full revocation list while CRL queries one certificate at a time
- CRL gives real-time accuracy per request while OCSP is always cached and stale
- CRL requires a live network round-trip for every single check while OCSP never contacts the CA
- OCSP gives near-real-time status via a live responder query but adds per-check latency and can leak which sites a user visits; CRL is cached locally but can be staler between publications
Correct answer: OCSP gives near-real-time status via a live responder query but adds per-check latency and can leak which sites a user visits; CRL is cached locally but can be staler between publications
The correct trade-off is that OCSP queries a live responder for near-real-time status but adds latency and privacy exposure (the responder sees which certificates a client checks), while a cached CRL avoids per-check round-trips but may be staler between publication intervals. OCSP checks one certificate; CRLs distribute the whole list.
- To remove the privacy and latency drawbacks of clients querying an OCSP responder directly, an architect specifies that the web server obtain and attach a recent signed status response during the TLS handshake. What is this technique called?
- Certificate pinning
- OCSP stapling
- Key escrow
- CRL distribution-point chaining
Correct answer: OCSP stapling
OCSP stapling is correct: the server periodically fetches a CA-signed OCSP response and staples it to the certificate during the handshake, so the client gets fresh status without contacting the responder. This improves performance and privacy because the CA no longer sees individual client queries. Pinning and escrow address different problems.
- An architect is laying out the operational stages a symmetric key passes through during its life. Which sequence reflects the key management lifecycle order described by NIST SP 800-57?
- Generation/pre-activation, activation/use, deactivation, archival or destruction
- Activation, generation, escrow, publication
- Distribution, escrow, publication, generation
- Destruction, generation, activation, distribution
Correct answer: Generation/pre-activation, activation/use, deactivation, archival or destruction
The correct order is generation/pre-activation, then active use, then deactivation, then archival or destruction — corresponding to the pre-operational, operational, post-operational, and destroyed phases in NIST SP 800-57. A key cannot be activated before it is generated, and destruction is the final stage, not the first.
- Within the key management lifecycle, what is the primary purpose of defining a cryptoperiod for a key?
- To allow the same key to be reused indefinitely across systems
- To limit the time a key is authorized for use, bounding exposure and the volume of data protected under a single key
- To make the key impossible to back up
- To guarantee the key can never be revoked
Correct answer: To limit the time a key is authorized for use, bounding exposure and the volume of data protected under a single key
Defining a cryptoperiod is correct: NIST SP 800-57 recommends bounding the time a key may be used so that the amount of data and exposure under one key is limited, reducing the impact of compromise and supporting timely rotation. A cryptoperiod does not prevent backup or revocation.
- An architect must design a system where a court order or business-continuity event could require recovery of an encrypted dataset even if the original user is unavailable. Which capability supports this requirement?
- Hard-coding keys into application binaries
- Disabling all key backups
- Cryptographic key escrow, where a copy of the key is securely held by a trusted party for authorized recovery
- Using the same key for every dataset
Correct answer: Cryptographic key escrow, where a copy of the key is securely held by a trusted party for authorized recovery
Cryptographic key escrow is correct: a copy of the key is held securely by a trusted custodian (often under split-knowledge/dual-control) so an authorized party can recover data when the original holder is unavailable. It must be tightly governed because it inherently creates an additional copy of sensitive key material.
- To reduce the risk that any single administrator can misuse an escrowed master key, which control should the architecture enforce on key recovery?
- Giving every administrator a full copy of the key
- Split knowledge and dual control, so no single person can reconstruct or use the key alone
- Emailing the key to the security team for safekeeping
- Storing the full key in plaintext on a shared drive
Correct answer: Split knowledge and dual control, so no single person can reconstruct or use the key alone
Split knowledge and dual control are correct: the key is divided so that multiple authorized people must collaborate to reconstruct or use it, ensuring no single individual can recover it alone. Plaintext shared storage or distributing full copies defeats the purpose of escrow safeguards.
- An architect needs to explain how a digital signature provides integrity and non-repudiation. Which description is accurate?
- The sender and recipient share one secret key used to sign and verify
- The sender appends a plaintext copy of their password to the message
- The sender encrypts the message with the recipient's public key
- The sender hashes the message and encrypts the hash with the sender's private key; the recipient verifies it with the sender's public key
Correct answer: The sender hashes the message and encrypts the hash with the sender's private key; the recipient verifies it with the sender's public key
Hashing the message and encrypting the digest with the sender's private key is correct: anyone with the sender's public key can verify the signature, proving integrity (the hash matches) and non-repudiation (only the sender's private key could have produced it). Encrypting with the recipient's public key provides confidentiality, not a signature.
- In a digital signature scheme, what is verified when signature validation succeeds?
- That the message has not been altered since signing and originated from the holder of the corresponding private key
- That the message was delivered within a guaranteed time window
- That the recipient is authorized to read the message
- That the message is encrypted and unreadable to third parties
Correct answer: That the message has not been altered since signing and originated from the holder of the corresponding private key
Successful validation confirms that the message is unaltered since signing and that it came from the holder of the matching private key, providing integrity and authenticity/non-repudiation. A signature does not by itself encrypt the message or guarantee delivery timing or recipient authorization.
- Two endpoints need to establish a shared secret over an untrusted network without ever transmitting the secret itself. Which mechanism accomplishes this?
- SHA-256 hashing
- Diffie-Hellman key exchange
- Base64 encoding of a password
- AES in CBC mode
Correct answer: Diffie-Hellman key exchange
Diffie-Hellman key exchange is correct: each party combines its private value with the other's public value to derive an identical shared secret without that secret ever crossing the wire. AES is a bulk cipher (not a key-agreement protocol), and hashing or encoding cannot perform key agreement.
- An architect wants the compromise of a server's long-term private key to not expose previously recorded session traffic. Which property, achieved with ephemeral Diffie-Hellman, provides this?
- Perfect forward secrecy
- Key escrow
- Certificate transparency
- Non-repudiation
Correct answer: Perfect forward secrecy
Perfect forward secrecy is correct: using ephemeral Diffie-Hellman generates a unique per-session key not derivable from the long-term key, so compromising the static private key later does not decrypt past sessions. Non-repudiation and escrow address authenticity and recovery, not session-key independence.
- An architect is presenting the foundational tenets of zero trust from NIST SP 800-207 to leadership. Which statement reflects a core zero-trust principle?
- Trust is granted once at the network perimeter and persists for the session
- All data sources and computing services are treated as resources, and access is granted per-session on a least-privilege, continuously evaluated basis
- Encryption can be omitted inside the trusted internal network
- Devices on the corporate LAN are inherently trusted
Correct answer: All data sources and computing services are treated as resources, and access is granted per-session on a least-privilege, continuously evaluated basis
Treating all data sources and services as resources with per-session, least-privilege, continuously evaluated access is a core NIST SP 800-207 tenet. Zero trust explicitly rejects implicit trust based on network location, persistent perimeter trust, or skipping internal encryption.
- In the NIST zero-trust architecture logical model, which component makes the access decision and which enforces it?
- The policy engine/policy administrator (policy decision point) decides; the policy enforcement point enforces
- The firewall decides and the router enforces
- The identity provider decides and the CRL enforces
- The policy enforcement point decides; the policy engine enforces
Correct answer: The policy engine/policy administrator (policy decision point) decides; the policy enforcement point enforces
The policy engine and policy administrator together act as the decision point, and the policy enforcement point enforces that decision by allowing or blocking the connection to the resource. Reversing these roles, or assigning them to a firewall/router or identity provider/CRL, misrepresents the NIST SP 800-207 model.
- An organization is replacing implicit VPN-based trust with a model where access to each application is brokered after verifying identity, device posture, and context. Which architecture is being adopted?
- An air-gapped network for all users
- Zero trust architecture with per-application, policy-driven access brokering
- A single perimeter firewall with no internal controls
- A flat trusted LAN
Correct answer: Zero trust architecture with per-application, policy-driven access brokering
This is zero trust architecture: access is brokered per application only after verifying identity, device posture, and context, rather than granting broad network access via VPN. A flat LAN or perimeter-only model relies on the implicit trust that zero trust is designed to eliminate.
- Which combination best summarizes the guiding principles an architect should apply when designing a zero-trust environment?
- Verify explicitly, enforce least-privilege access, and assume breach
- Trust the network, encrypt nothing internally, authenticate once
- Allow lateral movement, share credentials, and disable logging
- Authenticate at the perimeter and grant standing admin rights
Correct answer: Verify explicitly, enforce least-privilege access, and assume breach
Verify explicitly, enforce least privilege, and assume breach are the widely cited guiding zero-trust principles: every request is authenticated and authorized with full context, access is minimized and just-in-time, and the design presumes attackers may already be present. The other options describe the legacy perimeter model zero trust replaces.
- An architect wants to enforce granular, identity-aware east-west policy down to individual workloads rather than broad subnet boundaries. Which technique provides this finest-grained isolation?
- Microsegmentation applying per-workload allow policies independent of physical topology
- Placing all workloads behind one perimeter firewall
- Assigning every workload a public IP
- A single large VLAN for the data center
Correct answer: Microsegmentation applying per-workload allow policies independent of physical topology
Microsegmentation is correct: it applies per-workload, identity-aware allow policies that are decoupled from physical/subnet topology, confining lateral movement at a fine grain. A single VLAN or a perimeter-only firewall cannot enforce policy between workloads inside the same segment.
- An architect is justifying network segmentation to reduce risk. Which outcome is the primary security benefit of segmenting a network?
- It guarantees higher bandwidth on every link
- It contains breaches by limiting an attacker's ability to move laterally and reach sensitive systems
- It eliminates the need for endpoint protection
- It removes the need to patch internal systems
Correct answer: It contains breaches by limiting an attacker's ability to move laterally and reach sensitive systems
Containing breaches by restricting lateral movement and isolating sensitive systems is the primary security benefit of network segmentation. Segmentation reduces blast radius and limits reachable attack surface; it does not replace endpoint protection or patching, nor does it inherently increase bandwidth.
- During a power or controller failure, a high-security data-center door must lock and deny entry to protect a sensitive area, even though people inside can still exit via mechanical release. Which design behavior is specified?
- Fail silent, suppressing all alarms
- Fail open, prioritizing availability of access
- Fail secure (fail closed), prioritizing protection of the asset
- Fail random, alternating states
Correct answer: Fail secure (fail closed), prioritizing protection of the asset
Fail secure (fail closed) is correct: on failure the control defaults to the protective state (locked/deny), prioritizing confidentiality and asset protection. Fail open would unlock to favor availability and life safety, which is the opposite trade-off and is chosen where human safety outweighs asset protection.
- An architect must decide failure behavior for a firewall filtering traffic to a critical regulated database. To prevent unauthorized traffic if the device crashes, which behavior should be configured?
- Fail to a default allow-any rule
- Fail open so traffic continues to flow
- Disable the firewall during maintenance windows permanently
- Fail closed so the path denies traffic on failure
Correct answer: Fail closed so the path denies traffic on failure
Fail closed is correct: if the firewall fails, the path should deny traffic so the protected database is not exposed, favoring security over availability for a regulated asset. Failing open or defaulting to allow-any would let unfiltered traffic reach the database during the outage.
- A board asks the architect to distinguish a business continuity plan from a disaster recovery plan. Which description is correct?
- The business continuity plan is the broad strategy to keep essential business functions operating during disruption, while the disaster recovery plan is the technical subset focused on restoring IT systems and data
- They are identical documents with different titles
- The business continuity plan only addresses cyberattacks, while disaster recovery addresses natural disasters
- The disaster recovery plan covers all business functions, while the business continuity plan covers only IT
Correct answer: The business continuity plan is the broad strategy to keep essential business functions operating during disruption, while the disaster recovery plan is the technical subset focused on restoring IT systems and data
The business continuity plan is the broad strategy for sustaining essential business functions during disruption, and the disaster recovery plan is the IT-focused subset for restoring systems and data. DRP is a component within the larger BCP scope; they are not interchangeable, and neither is limited to a single threat type.
- An architect is setting recovery objectives for a critical service. Which pairing of terms is defined correctly?
- RTO is the maximum acceptable data loss; RPO is the maximum acceptable downtime
- RTO is the target time to restore a service after disruption; RPO is the maximum acceptable amount of data loss measured backward from the incident
- RPO measures network throughput; RTO measures CPU utilization
- RTO and RPO both measure backup storage capacity
Correct answer: RTO is the target time to restore a service after disruption; RPO is the maximum acceptable amount of data loss measured backward from the incident
The correct definitions are that RTO is the target time to restore a service after disruption, while RPO is the maximum tolerable data loss measured backward from the incident (driving backup frequency). These objectives anchor continuity and disaster-recovery design and must not be swapped.
- An architect designs a DMZ for internet-facing services. What is the primary architectural purpose of a DMZ (perimeter network)?
- To store cryptographic keys for the entire enterprise
- To replace the need for any internal firewalls
- To host externally reachable services in a segmented zone so that a compromise there does not grant direct access to the internal network
- To place internal databases directly on the internet for speed
Correct answer: To host externally reachable services in a segmented zone so that a compromise there does not grant direct access to the internal network
Hosting externally reachable services in a segmented zone is the DMZ's purpose: it isolates public-facing systems so a compromise of those systems does not directly expose the internal network. Internal databases and key stores belong in protected internal zones, not the DMZ.
- An architect must protect highly sensitive bulk data at rest while enabling cryptographic agility for a future migration to post-quantum algorithms. Which design choice best supports algorithm agility?
- Encrypting only with a deprecated algorithm to avoid change
- Abstracting cryptographic operations behind a centralized crypto service or library so algorithms and keys can be changed without rewriting applications
- Hard-coding one cipher and key into every application
- Disabling encryption until post-quantum standards are mandatory
Correct answer: Abstracting cryptographic operations behind a centralized crypto service or library so algorithms and keys can be changed without rewriting applications
Abstracting crypto behind a centralized service or library is correct: it enables cryptographic agility so the organization can swap algorithms and rotate keys (including a post-quantum migration) without rewriting each application. Hard-coding a single cipher creates brittle dependencies that block future transitions.
- An architect is selecting a key length and algorithm for protecting data that must remain confidential for 25 years. Which consideration is most important?
- Reusing the shortest key to save storage
- Choosing the fastest algorithm regardless of strength
- Selecting algorithms and key sizes with a security margin adequate for the data's required protection lifetime, including resilience to future advances
- Picking whatever the previous system used
Correct answer: Selecting algorithms and key sizes with a security margin adequate for the data's required protection lifetime, including resilience to future advances
Matching algorithm and key strength to the required protection lifetime, with margin for future cryptanalytic and computing advances, is the key consideration for long-lived data. Long retention periods may even warrant planning for post-quantum-resistant algorithms; speed and storage savings are secondary to durability of protection.
- An architect designs certificate validation for clients and must handle the case where neither a CRL nor an OCSP response can be reached. Which design is most secure for high-assurance systems?
- Ignore revocation entirely
- Soft-fail: treat the certificate as valid when status cannot be checked
- Hard-fail: reject the certificate when revocation status cannot be confirmed for high-assurance contexts
- Cache the last 'good' response forever
Correct answer: Hard-fail: reject the certificate when revocation status cannot be confirmed for high-assurance contexts
Hard-fail is correct for high-assurance systems: if revocation status cannot be confirmed, the safest posture is to reject the certificate rather than assume validity. Soft-fail (assuming valid on failure) is convenient but lets an attacker who blocks status checks present a revoked certificate.
- An architect must protect the root of trust for an enterprise PKI. Where should the root CA's private key be generated and stored to maximize protection?
- Inside a FIPS 140-validated HSM, with the root CA kept offline and powered down except during ceremonies
- On a developer laptop for convenient access
- In the application's source repository
- In a cloud storage bucket shared with operations
Correct answer: Inside a FIPS 140-validated HSM, with the root CA kept offline and powered down except during ceremonies
Generating and storing the root key in a FIPS 140-validated HSM with the root CA kept offline is correct: it ensures the key is never exposed in extractable form and is only used during controlled key ceremonies for signing intermediates. Laptops, storage buckets, and repositories all risk exposing the most critical trust anchor.
- An architect needs strong, hardware-backed integrity assurance that a server booted only trusted firmware and OS components. Which mechanism, anchored in a TPM, provides this?
- A software-only checksum stored on the same disk
- Measured boot with the TPM recording component hashes into platform configuration registers for remote attestation
- Disabling secure boot to simplify updates
- A password protecting the BIOS menu
Correct answer: Measured boot with the TPM recording component hashes into platform configuration registers for remote attestation
Measured boot using the TPM is correct: each boot component is hashed and recorded into the TPM's platform configuration registers, enabling remote attestation that only trusted firmware and OS loaded. A software checksum on the same disk can be tampered with alongside the boot chain, and a BIOS password does not attest integrity.
- An architect is segmenting an industrial control system (OT) network from the corporate IT network. Which design pattern is the recommended reference for this boundary?
- Allowing any corporate workstation to reach PLCs directly
- A layered/zoned model with a demilitarized boundary (such as the Purdue model's IT/OT DMZ) brokering all traffic between zones
- Merging IT and OT into one flat network for simplicity
- Connecting OT devices directly to the internet for remote support
Correct answer: A layered/zoned model with a demilitarized boundary (such as the Purdue model's IT/OT DMZ) brokering all traffic between zones
A layered, zoned model with an IT/OT DMZ (as in the Purdue reference architecture) is correct: it brokers and inspects all traffic between corporate IT and control zones, preventing direct exposure of sensitive OT devices. Flattening the networks or directly internet-connecting controllers removes the segmentation that protects critical processes.
- An architect must choose a secure remote-access design for administrators that avoids exposing management interfaces directly to the internet. Which approach best fits a zero-trust model?
- Sharing one administrative VPN account among the team
- Publishing RDP directly to the public internet with a strong password
- A zero-trust network access (ZTNA) broker that authenticates identity and device posture before granting per-application access
- Opening all firewall ports during business hours
Correct answer: A zero-trust network access (ZTNA) broker that authenticates identity and device posture before granting per-application access
A ZTNA broker is correct: it authenticates identity and verifies device posture, then grants access only to the specific application rather than the whole network, keeping management interfaces unexposed. Publishing RDP, opening ports broadly, or sharing accounts all create the implicit trust and broad exposure that zero trust eliminates.
- An architect designs key generation for an enterprise and must ensure keys are unpredictable. Which source is appropriate for generating cryptographic keys?
- A timestamp formatted as the key
- The user's username repeated to key length
- A predictable counter incremented per request
- A validated cryptographically secure random number generator seeded with sufficient entropy
Correct answer: A validated cryptographically secure random number generator seeded with sufficient entropy
A validated cryptographically secure random number generator with sufficient entropy is correct: unpredictability is essential, so keys must come from an approved CSPRNG, ideally backed by a hardware entropy source such as an HSM. Counters, timestamps, and usernames are predictable and would catastrophically weaken the keys.
- An architect is choosing how to bind a TLS access token to a specific client so a stolen token cannot be replayed from another machine, at the infrastructure layer. Which approach binds the credential to the client's key?
- Bearer tokens with no binding
- Lengthening the token's lifetime
- Mutual TLS client-certificate binding so the token is only valid when presented over the bound TLS connection
- Storing the token in a cookie with no flags
Correct answer: Mutual TLS client-certificate binding so the token is only valid when presented over the bound TLS connection
Mutual TLS client-certificate binding is correct: the credential is tied to the client's private key, so a token captured elsewhere cannot be replayed without that key and the bound TLS connection. Unbound bearer tokens, flag-less cookies, and longer lifetimes increase rather than reduce replay risk.
- An architect must decide where to terminate TLS in a layered web architecture while still inspecting traffic and protecting backend keys. Which design balances inspection with key protection?
- Disable TLS internally to ease inspection
- Terminate TLS on each backend server and store private keys in app config
- Expose backends directly to clients without a proxy
- Terminate TLS at a reverse proxy/load balancer that offloads crypto to an HSM, then re-encrypt to backends as required
Correct answer: Terminate TLS at a reverse proxy/load balancer that offloads crypto to an HSM, then re-encrypt to backends as required
Terminating TLS at a reverse proxy that offloads to an HSM, then re-encrypting to backends as needed, is correct: it centralizes inspection and key protection while keeping internal traffic encrypted where required. Storing keys in app config or disabling internal TLS exposes keys and traffic.
- A relying-party architecture must validate a certificate chain up to a trusted root. Which step is essential to correct path validation?
- Verifying each certificate's signature with its issuer's public key up to a trusted anchor and checking revocation and constraints at each level
- Trusting any certificate that is not expired
- Validating only the root and ignoring the leaf
- Accepting the leaf certificate without checking intermediates
Correct answer: Verifying each certificate's signature with its issuer's public key up to a trusted anchor and checking revocation and constraints at each level
Verifying each certificate's signature with its issuer's key up to a trusted root, while checking revocation and constraints at each level, is essential path validation. Skipping intermediates, trusting purely on non-expiration, or validating only the root would allow forged or revoked certificates to be accepted.
- An architect wants to ensure that even the cloud provider's administrators cannot read tenant key material used to encrypt data in a managed service. Which design pattern achieves this?
- Storing keys in plaintext metadata
- Provider-managed keys with full provider access
- Sharing the master key with provider support
- Customer-managed keys held in a customer-controlled HSM (e.g., hold-your-own-key / external key store), so the provider invokes but cannot extract the key
Correct answer: Customer-managed keys held in a customer-controlled HSM (e.g., hold-your-own-key / external key store), so the provider invokes but cannot extract the key
Customer-managed keys in a customer-controlled HSM (external key store / hold-your-own-key) is correct: the provider can invoke cryptographic operations but cannot extract or read the key, keeping it outside provider control. Provider-managed keys, plaintext metadata, or sharing the master key give the provider access the design is meant to prevent.
- An architect is defining how often to publish CRLs versus the freshness clients require. Which trade-off must be managed?
- CRL publication frequency has no effect on revocation timeliness
- More frequent CRL publication improves status freshness but increases CA and distribution load and client download overhead
- Publishing a CRL once and never updating it is best practice
- Less frequent CRL publication always improves security
Correct answer: More frequent CRL publication improves status freshness but increases CA and distribution load and client download overhead
More frequent CRL publication improves freshness but raises CA and distribution-point load and client download overhead, so the interval must balance timeliness against cost. Infrequent or one-time publication leaves a window where revoked certificates still appear valid, weakening security.
- An architect must protect signing keys for a high-volume code-signing service against extraction while meeting regulatory assurance. Which control is most appropriate?
- Store the signing key as an environment variable
- Perform all signing operations inside a FIPS 140-validated HSM so the private key never leaves the device in usable form
- Email the key to the build server at deploy time
- Embed the signing key in the installer package
Correct answer: Perform all signing operations inside a FIPS 140-validated HSM so the private key never leaves the device in usable form
Performing signing inside a FIPS 140-validated HSM is correct: the private key is generated and used within the hardware boundary and never exported in usable form, satisfying both extraction-resistance and regulatory assurance. Environment variables, emailed keys, and embedded keys all risk disclosure of the signing key.
- An architect is choosing a secure replacement for legacy plaintext management protocols on network infrastructure devices. Which set provides encrypted, authenticated administration and monitoring?
- HTTP for management and SNMPv2c for monitoring
- Telnet for CLI and SNMPv1 for monitoring
- Plain FTP for configuration transfer and Telnet for CLI
- SSH for CLI access and SNMPv3 with authentication and privacy for monitoring
Correct answer: SSH for CLI access and SNMPv3 with authentication and privacy for monitoring
SSH for CLI access paired with SNMPv3 (which adds authentication and encryption/privacy) is correct: both provide confidentiality and authenticated administration of infrastructure devices. Telnet, HTTP, plain FTP, and SNMPv1/v2c transmit credentials and data in cleartext and lack strong authentication.
- An architect is specifying a hardware security module for a national PKI and must choose the FIPS 140-3 level at which the device immediately erases its plaintext keys the instant it detects that someone has drilled into or opened the enclosure. Which level should the specification require?
- Level 4, which is identical to Level 3 but cheaper to procure
- Level 3, which adds an opaque tamper-responsive boundary that zeroizes sensitive parameters on physical penetration
- Level 1, which only mandates an approved algorithm and offers no physical protection
- Level 2, which adds tamper-evident seals and role-based authentication
Correct answer: Level 3, which adds an opaque tamper-responsive boundary that zeroizes sensitive parameters on physical penetration
FIPS 140-3 Security Level 3 is the correct specification because it adds a hard, tamper-responsive physical boundary (potting, mesh, and intrusion sensors) plus identity-based authentication and environmental failure protection, and it requires the module to zeroize plaintext keys and critical security parameters the moment penetration is detected. Level 2 only provides tamper evidence (you can see it was opened) but does not actively destroy keys, and Level 1 has no physical protection at all. Level 4 is the most stringent tier (adding fault-injection resistance and stricter environmental defenses), not a cheaper variant of Level 3.
- An enterprise runs HSMs from three different vendors plus a cloud key service, and the architect wants one standard protocol so applications can create, retrieve, rotate, and destroy keys across all of them without vendor-specific code. Which standard should the reference architecture mandate?
- PKCS#7, a syntax for signed and enveloped message data
- X.509, the format specification for public-key certificates
- KMIP, an OASIS standard interface for managing cryptographic keys across heterogeneous key stores
- SCEP, a protocol for enrolling devices for certificates
Correct answer: KMIP, an OASIS standard interface for managing cryptographic keys across heterogeneous key stores
KMIP (Key Management Interoperability Protocol) is the correct choice because it is the OASIS standard that gives applications a single, vendor-neutral interface to perform full key-lifecycle operations (generate, register, retrieve, rotate, revoke, destroy) against HSMs and key managers from different vendors. X.509 only defines the certificate format, PKCS#7 (CMS) only defines signed and enveloped message syntax, and SCEP only handles certificate enrollment for devices, so none of those solves cross-vendor key management.
- In a NIST SP 800-207 zero trust architecture, an architect must place the component that sits directly in the traffic path and actually opens or closes the connection to a resource once a decision is rendered. Which component performs that enforcement role?
- The policy engine, which makes the grant-or-deny decision
- The policy administrator, which generates the session credential or token
- The policy enforcement point, which sits inline and permits or blocks the connection to the resource
- The policy information point, which supplies attributes used in the decision
Correct answer: The policy enforcement point, which sits inline and permits or blocks the connection to the resource
The policy enforcement point (PEP) is the component that sits inline in the data path and physically allows or terminates the subject's connection to the resource once a decision is issued. In NIST SP 800-207 the decision itself is split into the policy engine (which evaluates policy and threat signals to decide) and the policy administrator (which establishes or tears down the session credential), while information sources feed attributes in; only the PEP does the actual enforcement at the resource boundary.
- An architect reviews a design that claims network segmentation but routes every inter-segment packet through a single Layer 3 switch with no access-control lists between VLANs. Why does this design fail to deliver the security benefit of segmentation?
- Layer 3 switches cannot route between VLANs at all
- VLANs cannot carry encrypted traffic, so the data is exposed
- VLAN tags increase latency and degrade availability of the segments
- Without a filtering policy between segments, a compromised host can still reach other segments, so the segments are not actually isolated
Correct answer: Without a filtering policy between segments, a compromised host can still reach other segments, so the segments are not actually isolated
The design fails because segmentation only limits lateral movement when a filtering policy actually controls or denies traffic crossing segment boundaries; with open routing and no inter-VLAN access-control lists, a compromised host reaches every other VLAN as if the network were flat. Logical VLAN separation without an enforced cross-segment policy provides administrative tidiness, not a security boundary, which is why true segmentation pairs the VLANs with a firewall or default-deny ACLs at the Layer 3 boundary.
- An architect notes that most browsers perform OCSP revocation checks in soft-fail mode. From a security-architecture standpoint, what is the consequence of relying on soft-fail OCSP to detect a revoked certificate?
- Soft-fail forces clients to download the full certificate revocation list on every connection
- Soft-fail encrypts the revocation response so the relying party cannot read it
- Soft-fail rejects every connection whenever the OCSP responder is slow, harming availability
- An attacker who blocks reachability to the OCSP responder causes clients to treat the certificate as valid, defeating revocation
Correct answer: An attacker who blocks reachability to the OCSP responder causes clients to treat the certificate as valid, defeating revocation
With soft-fail OCSP, an unreachable responder is treated as non-blocking, so an on-path attacker who simply blocks traffic to the OCSP responder makes clients accept a revoked certificate as if it were good, which defeats the entire purpose of revocation checking. This is precisely why architects prefer OCSP stapling (the server presents a pre-fetched, CA-signed status) and short-lived certificates over client-side soft-fail OCSP; hard-fail would block such an attack but is widely avoided because responder outages would then break availability.
- An architect is designing a tiered network for a public web application and must position the front-end web servers so that internet clients can reach them while the database tier remains unreachable from the internet. Which placement satisfies this requirement?
- Place the database in the screened subnet and the web servers on the internal network
- Place both the web and database tiers in the same internet-facing subnet for simplicity
- Place all tiers on the internal network and expose them through port forwarding on the edge router
- Place the web servers in a screened subnet (DMZ) between two firewall boundaries, with the database in a separate internal-only segment
Correct answer: Place the web servers in a screened subnet (DMZ) between two firewall boundaries, with the database in a separate internal-only segment
Putting the web servers in a screened subnet (DMZ) between an outer and inner filtering boundary, with the database in a separate internal-only segment, is correct: internet traffic terminates at the DMZ tier while a second boundary blocks any direct internet path to the database. Co-locating the database with internet-facing web servers, or exposing internal tiers through raw port forwarding, removes the layered boundary and gives an attacker who compromises the web tier (or the edge) a direct route to the data store.
- What is the fundamental difference between authentication and authorization in an identity architecture?
- Authentication and authorization are interchangeable names for the same access decision
- Authentication grants permissions, while authorization proves identity
- Authentication verifies who a principal is, while authorization determines what that principal is permitted to do
- Authentication encrypts traffic, while authorization compresses it
Correct answer: Authentication verifies who a principal is, while authorization determines what that principal is permitted to do
Authentication verifies who a principal is, while authorization determines what that authenticated principal is permitted to do. Authentication establishes identity (proving a claim such as a credential or key), and authorization is the subsequent decision about which resources and actions that identity may reach. They are distinct, sequential functions, not the same step, and neither concerns transport encryption or compression.
- A security architect must select an authorization model for a system where access decisions depend dynamically on the subject's department, the resource's classification, the requested action, and the time of day. Which model best fits these requirements?
- Attribute-based access control (ABAC), which evaluates policies over subject, resource, action, and environment attributes
- Mandatory access control, where access is fixed by static security labels
- Discretionary access control, where the resource owner grants access at will
- An access control list that statically enumerates permitted users per object
Correct answer: Attribute-based access control (ABAC), which evaluates policies over subject, resource, action, and environment attributes
Attribute-based access control (ABAC) evaluates policies over subject, resource, action, and environment attributes, making it the right model when decisions must combine department, classification, action, and time dynamically. ABAC composes these attributes at request time, whereas static ACLs, owner-driven DAC, and label-driven MAC cannot express context-sensitive conditions such as time of day.
- An architect is comparing RBAC and ABAC for a workforce identity platform. Which statement most accurately captures the trade-off?
- ABAC is always less secure than RBAC because it relies on attributes
- RBAC and ABAC cannot be combined in the same architecture
- RBAC offers simpler administration through coarse roles but can suffer role explosion, while ABAC provides fine-grained context-aware decisions at higher policy complexity
- RBAC supports context-aware decisions while ABAC only supports static roles
Correct answer: RBAC offers simpler administration through coarse roles but can suffer role explosion, while ABAC provides fine-grained context-aware decisions at higher policy complexity
RBAC offers simpler administration through coarse roles but can suffer role explosion, while ABAC provides fine-grained, context-aware decisions at the cost of higher policy complexity. RBAC assigns permissions through a manageable set of roles; ABAC evaluates rich attributes for precision. They are frequently combined (RBAC for coarse access, ABAC for fine-grained conditions) rather than mutually exclusive.
- In role-based access control, how are permissions most properly assigned to users?
- Permissions are assigned to roles, and users acquire permissions by being assigned to roles
- Permissions are inherited automatically from the resource owner
- Permissions are derived from the user's network IP address
- Permissions are assigned directly to each individual user account
Correct answer: Permissions are assigned to roles, and users acquire permissions by being assigned to roles
In role-based access control, permissions are assigned to roles, and users acquire those permissions by being assigned to roles. This indirection lets administrators manage entitlements through a stable set of job functions rather than per-user grants, easing administration and supporting least privilege. Assigning permissions directly to users defeats the central benefit of RBAC.
- Which statement correctly distinguishes mandatory access control (MAC) from discretionary access control (DAC)?
- MAC and DAC both let end users freely delegate their own access
- MAC applies only to network devices while DAC applies only to files
- In MAC the system enforces access based on labels and a central policy that users cannot override; in DAC the resource owner decides who may access the object
- In MAC the resource owner sets permissions; in DAC the system enforces fixed labels
Correct answer: In MAC the system enforces access based on labels and a central policy that users cannot override; in DAC the resource owner decides who may access the object
In MAC the system enforces access based on security labels and a central policy that users cannot override, while in DAC the resource owner decides who may access the object. MAC is non-discretionary and suited to high-assurance environments; DAC is flexible but allows owners to propagate access, which can lead to uncontrolled sharing. The owner-controlled description belongs to DAC, not MAC.
- An architect documents an access control matrix from two perspectives. Which statement correctly contrasts an access control list (ACL) with a capability table?
- Both an ACL and a capability table are organized strictly by object
- An ACL lists, per object, which subjects may access it; a capability table lists, per subject, which objects it may access
- Both an ACL and a capability table are organized strictly by subject
- An ACL lists, per subject, the objects it may access; a capability table lists, per object, the permitted subjects
Correct answer: An ACL lists, per object, which subjects may access it; a capability table lists, per subject, which objects it may access
An ACL lists, per object, which subjects may access it, whereas a capability table lists, per subject, which objects it may access. The two are the row-versus-column views of the same access control matrix: ACLs are object-centric and capabilities are subject-centric. This affects revocation and review workflows, since removing access differs depending on which view the system stores.
- Why does separation of duties strengthen security in a sensitive workflow such as initiating and approving large payments?
- It divides a critical task so that no single individual can complete it alone, reducing the opportunity for fraud or undetected error
- It grants every participant full privileges so any one of them can complete the task quickly
- It reduces the number of audit events the system must record
- It encrypts each step of the workflow so attackers cannot read it
Correct answer: It divides a critical task so that no single individual can complete it alone, reducing the opportunity for fraud or undetected error
Separation of duties divides a critical task so that no single individual can complete it alone, reducing the opportunity for fraud or undetected error. Requiring distinct people to initiate and approve a payment means collusion would be necessary to abuse the process, which is far less likely than a single bad actor. It is a control over task completion, not an encryption or logging measure.
- How does the principle of least privilege guide entitlement design in an IAM architecture?
- Privileges are assigned equally to all users to simplify administration
- Each subject is granted only the minimum access necessary to perform its function, and nothing more
- Privileges are granted permanently once and never reviewed
- Each subject is granted broad access up front to avoid future access requests
Correct answer: Each subject is granted only the minimum access necessary to perform its function, and nothing more
Under the principle of least privilege, each subject is granted only the minimum access necessary to perform its function and nothing more. This limits the blast radius if a credential is compromised and reduces insider risk. Granting broad standing access for convenience, equalizing privileges, or never reviewing grants all contradict least privilege and lead to entitlement creep.
- An architect designs an identity lifecycle for a large enterprise. Which sequence best describes the joiner-mover-leaver model the architecture must support?
- Provision access when a person joins, adjust entitlements as their role changes, and deprovision access when they leave
- Provision all possible access at hire and never modify it afterward
- Deprovision access at hire and provision it only at departure
- Grant access only when a user files a help-desk ticket each time
Correct answer: Provision access when a person joins, adjust entitlements as their role changes, and deprovision access when they leave
The joiner-mover-leaver model provisions access when a person joins, adjusts entitlements as their role changes, and deprovisions access when they leave. Anchoring this lifecycle to an authoritative source (such as HR) keeps entitlements aligned with current need and prevents orphaned accounts. Provisioning everything at hire or never adjusting it produces entitlement creep and standing risk.
- Why is timely deprovisioning considered as architecturally important as provisioning in identity lifecycle management?
- Provisioning is reversible automatically, so deprovisioning is unnecessary
- Failing to deprovision leaves orphaned accounts and standing entitlements that attackers and departed insiders can exploit
- Deprovisioning only matters for non-human service accounts
- Deprovisioning improves authentication speed for remaining users
Correct answer: Failing to deprovision leaves orphaned accounts and standing entitlements that attackers and departed insiders can exploit
Timely deprovisioning matters because failing to remove access leaves orphaned accounts and standing entitlements that attackers and departed insiders can exploit. Provisioning grants capability and deprovisioning removes it; an architecture that automates one but neglects the other accumulates dormant, high-risk access. Deprovisioning applies to both human and non-human identities.
- An architect wants to eliminate standing privileged access by granting elevated rights only at the moment a task requires them. Which approach implements this?
- Permanent membership in privileged groups to avoid request friction
- Disabling logging during privileged sessions to reduce overhead
- A shared administrator credential available to all operators
- Just-in-time access provisioning, where elevated entitlements are granted on request for a limited window and automatically revoked
Correct answer: Just-in-time access provisioning, where elevated entitlements are granted on request for a limited window and automatically revoked
Just-in-time access provisioning grants elevated entitlements on request for a limited window and automatically revokes them, eliminating standing privilege. Because the rights exist only during the approved task, the attack surface from dormant privileged accounts shrinks dramatically. Permanent group membership and shared admin credentials reintroduce exactly the standing risk JIT is designed to remove.
- How does Kerberos enable a user to authenticate once and then access multiple services without re-entering credentials?
- The user's password is forwarded in cleartext to every service for verification
- A central server pushes the password hash to every service in advance
- Each service independently prompts for the password and stores it
- After authenticating to the Key Distribution Center and obtaining a ticket-granting ticket, the client requests service tickets for each service from the ticket-granting service
Correct answer: After authenticating to the Key Distribution Center and obtaining a ticket-granting ticket, the client requests service tickets for each service from the ticket-granting service
In Kerberos, after authenticating to the Key Distribution Center and obtaining a ticket-granting ticket (TGT), the client requests service tickets for each target service from the ticket-granting service. The TGT proves prior authentication, so individual service tickets are issued without re-sending the password, enabling single sign-on. Kerberos deliberately avoids transmitting the password to services.
- What does a Kerberos service ticket contain that allows a target application server to validate the client without contacting the Key Distribution Center?
- A one-time SMS code shared with the user
- A session key and client identity encrypted with the target service's secret key, which only that service can decrypt
- The client's plaintext password for direct comparison
- A public certificate signed by an external certificate authority
Correct answer: A session key and client identity encrypted with the target service's secret key, which only that service can decrypt
A Kerberos service ticket contains a session key and client identity encrypted with the target service's secret key, which only that service can decrypt. Because the service shares its long-term key with the KDC, it can open the ticket locally and trust its contents without a round trip to the KDC. Kerberos relies on symmetric keys and tickets, not passwords, certificates, or SMS codes, for this validation.
- An architect is selecting authentication factors for a high-assurance workforce login. Which combination represents genuine multi-factor authentication?
- Two different passwords entered in sequence
- A password (something you know) plus a hardware security key (something you have)
- A password plus a security question, both something you know
- A username plus a password
Correct answer: A password (something you know) plus a hardware security key (something you have)
Genuine multi-factor authentication combines factors from different categories, such as a password (something you know) plus a hardware security key (something you have). Using two items from the same category, like a password and a security question (both knowledge factors), does not add a true second factor. A username is an identifier, not an authentication factor.
- In OAuth 2.0, which grant type is recommended for a server-side web application that can securely keep a client secret and acts on behalf of a user?
- The client credentials grant, which authenticates only the application with no user context
- The authorization code grant, in which the client exchanges a code for tokens at the token endpoint
- The resource owner password credentials grant, in which the app collects the user's password
- The implicit grant, which returns tokens directly in the browser redirect
Correct answer: The authorization code grant, in which the client exchanges a code for tokens at the token endpoint
For a confidential server-side web application acting on behalf of a user, the authorization code grant is recommended: the client receives a short-lived code and exchanges it for tokens at the token endpoint using its secret. The implicit grant is deprecated for security reasons per RFC 9700, the password grant exposes user credentials to the app, and client credentials carry no user context.
- Which OAuth 2.0 grant type is appropriate for machine-to-machine access where no end user is involved?
- The authorization code grant, which requires user interaction at the authorization endpoint
- The device authorization grant, designed for input-constrained user devices
- The client credentials grant, which authenticates the application itself to obtain an access token
- The refresh token grant, used only to renew an existing user token
Correct answer: The client credentials grant, which authenticates the application itself to obtain an access token
The client credentials grant is appropriate for machine-to-machine access with no end user: the application authenticates itself to obtain an access token for its own resources. The authorization code and device grants both involve a human user, and the refresh token grant only renews tokens issued under another flow rather than establishing the initial machine identity.
- In a standard OpenID Connect authorization code flow, what does the relying party ultimately receive that proves the end user's authentication?
- The user's password hash from the OpenID provider
- A symmetric key shared with all relying parties
- Only an opaque access token with no identity claims
- A signed ID token (a JWT) containing identity claims about the authenticated user
Correct answer: A signed ID token (a JWT) containing identity claims about the authenticated user
In an OpenID Connect authorization code flow, the relying party ultimately receives a signed ID token (a JWT) containing identity claims about the authenticated user. The ID token is what distinguishes OIDC from plain OAuth, conveying who the user is and how they authenticated. An access token alone authorizes resource calls but does not assert authentication, and passwords are never shared with the relying party.
- An architect must explain the relationship among SAML, OAuth 2.0, and OpenID Connect to stakeholders. Which description is accurate?
- OpenID Connect is unrelated to OAuth 2.0 and replaces SAML entirely
- SAML is an XML-based federation and SSO standard, OAuth 2.0 is an authorization-delegation framework, and OpenID Connect adds an authentication layer on top of OAuth 2.0
- All three are authentication-only protocols that perform identical functions
- OAuth 2.0 is an XML SSO protocol while SAML handles only authorization delegation
Correct answer: SAML is an XML-based federation and SSO standard, OAuth 2.0 is an authorization-delegation framework, and OpenID Connect adds an authentication layer on top of OAuth 2.0
SAML is an XML-based federation and SSO standard, OAuth 2.0 is an authorization-delegation framework, and OpenID Connect adds a standardized authentication layer on top of OAuth 2.0. SAML predominates in enterprise browser SSO, OAuth handles delegated API access, and OIDC reuses OAuth flows to convey authenticated identity. They are complementary, not identical or unrelated.
- What is the defining characteristic of a single sign-on (SSO) architecture from the user's perspective?
- The user's password is replicated to each application's local database
- The user authenticates once to a trusted identity provider and gains access to multiple applications without re-authenticating to each
- The user authenticates only after each application individually approves the request
- The user must enter separate credentials at every application
Correct answer: The user authenticates once to a trusted identity provider and gains access to multiple applications without re-authenticating to each
In a single sign-on architecture, the user authenticates once to a trusted identity provider and then gains access to multiple applications without re-authenticating to each. The identity provider asserts the authenticated session to relying applications, improving usability and centralizing credential handling. SSO specifically avoids replicating passwords into per-application stores or repeated credential prompts.
- What is the core concept of federated identity management across organizational boundaries?
- Each organization replicates the other's full user directory locally
- A single shared administrator account is used by all federated partners
- A relying organization trusts identity assertions issued by another organization's identity provider rather than maintaining local accounts for those users
- Users must hold a separate account in every participating organization
Correct answer: A relying organization trusts identity assertions issued by another organization's identity provider rather than maintaining local accounts for those users
In federated identity management, a relying organization trusts identity assertions issued by another organization's identity provider rather than maintaining local accounts for those users. Established trust relationships and standards such as SAML or OIDC let a user authenticate at their home identity provider and access partner resources. This avoids account replication, shadow accounts, or shared credentials across the federation.
- An organization wants to consume identity and access management as a cloud-delivered service rather than operating on-premises infrastructure. Which model are they adopting?
- A self-hosted on-premises directory with no external dependency
- A static configuration file distributed to each application
- Identity as a Service (IDaaS), a cloud-hosted IAM offering for authentication, SSO, and lifecycle management
- A peer-to-peer credential exchange among end-user devices
Correct answer: Identity as a Service (IDaaS), a cloud-hosted IAM offering for authentication, SSO, and lifecycle management
Identity as a Service (IDaaS) is a cloud-hosted IAM offering that delivers authentication, single sign-on, and lifecycle management as a subscription service. It shifts operational burden to a provider while supporting federation and modern protocols, and increasingly governs non-human and AI agent identities. It is the opposite of a purely self-hosted on-premises directory.
- What is the primary architectural role of LDAP directory services in an enterprise IAM design?
- To provide a hierarchical, queryable repository of identity and attribute information that applications can read and authenticate against
- To encrypt all network traffic between application tiers
- To perform real-time intrusion detection on directory queries
- To serve as the organization's primary firewall rule engine
Correct answer: To provide a hierarchical, queryable repository of identity and attribute information that applications can read and authenticate against
LDAP directory services provide a hierarchical, queryable repository of identity and attribute information that applications can read and authenticate against. The directory stores users, groups, and attributes in a tree structure and answers lookups and bind requests, acting as a central source of identity truth. It is a directory protocol, not an encryption, IDS, or firewall mechanism.
- What is the defining purpose of privileged access management (PAM) in a security architecture?
- To distribute software updates to endpoints
- To control, monitor, and secure accounts with elevated rights through vaulting, session recording, and just-in-time elevation
- To replace the need for any network segmentation
- To manage standard end-user passwords for low-risk applications
Correct answer: To control, monitor, and secure accounts with elevated rights through vaulting, session recording, and just-in-time elevation
Privileged access management (PAM) controls, monitors, and secures accounts with elevated rights through credential vaulting, session recording, and just-in-time elevation. Because privileged accounts are high-value targets, PAM reduces standing privilege, enforces approval workflows, and creates accountability. It focuses specifically on elevated accounts rather than ordinary end-user passwords or unrelated functions like patching.
- An architect must describe what an identity and access management architecture encompasses at the enterprise level. Which description is most complete?
- Only the firewall and network segmentation design
- Solely the encryption algorithms used to protect data at rest
- The integrated framework of policies, processes, and technologies that govern how identities are established, authenticated, authorized, and audited across systems
- Exclusively the physical badge readers at building entrances
Correct answer: The integrated framework of policies, processes, and technologies that govern how identities are established, authenticated, authorized, and audited across systems
An identity and access management architecture is the integrated framework of policies, processes, and technologies that govern how identities are established, authenticated, authorized, and audited across systems. It spans the full lifecycle and the authentication, authorization, and accounting functions for human and non-human identities. It is far broader than any single control such as a firewall, an encryption algorithm, or a badge reader.
- An architect is designing identity for autonomous AI agents and automated service accounts under the updated ISSAP guidance. Which design best enforces least privilege for these non-human identities?
- Let all agents share one broadly privileged service account for simplicity
- Assign each agent a distinct, scoped identity with narrowly defined entitlements and short-lived credentials governed centrally
- Exempt non-human identities from lifecycle and entitlement reviews
- Grant agents permanent administrative rights to avoid runtime failures
Correct answer: Assign each agent a distinct, scoped identity with narrowly defined entitlements and short-lived credentials governed centrally
For autonomous AI agents and automated service accounts, the strongest design assigns each agent a distinct, scoped identity with narrowly defined entitlements and short-lived credentials governed centrally. This applies least privilege and accountability to non-human entities, which the updated ISSAP outline emphasizes within IDaaS frameworks. Shared, over-privileged, or unreviewed service identities create unbounded and untraceable risk.
- An architect needs to verify a new employee's claimed identity before issuing credentials. Which lifecycle activity does this represent?
- Token rotation, the periodic reissuance of session tokens
- Accounting, the logging of user actions
- Authorization, the assignment of resource permissions
- Identity proofing, the process of establishing and verifying that a person is who they claim to be before enrollment
Correct answer: Identity proofing, the process of establishing and verifying that a person is who they claim to be before enrollment
Verifying a new employee's claimed identity before issuing credentials is identity proofing: establishing and verifying that a person is who they claim to be before enrollment. Proofing precedes credential issuance and underpins the trustworthiness of everything that follows in the lifecycle. Authorization, accounting, and token rotation occur after an identity has already been proofed and provisioned.
- An architect is designing the identity accounting function. Which capability most directly supports holding individual principals answerable for their actions?
- Audit logging that attributes each significant action to an authenticated identity with synchronized, tamper-evident timestamps
- Recording only failed logins and discarding successful activity
- Disabling logs on privileged systems to reduce storage
- Aggregating events without recording which identity performed them
Correct answer: Audit logging that attributes each significant action to an authenticated identity with synchronized, tamper-evident timestamps
Holding principals answerable requires audit logging that attributes each significant action to an authenticated identity with synchronized, tamper-evident timestamps. Reliable attribution and accurate time enable non-repudiation and forensic reconstruction. Anonymized aggregation, disabled logging, or capturing only failures all break the chain needed for accountability.
- During access certification, reviewers confirm that each user's entitlements still match their current responsibilities. What is the primary security objective of this recurring review?
- To replace the need for authentication entirely
- To detect and remove excessive or orphaned entitlements that accumulate as roles change over time
- To accelerate the speed of single sign-on logins
- To increase the number of roles defined in the system
Correct answer: To detect and remove excessive or orphaned entitlements that accumulate as roles change over time
The primary objective of recurring access certification is to detect and remove excessive or orphaned entitlements that accumulate as roles change over time. Without periodic recertification, users retain access from prior roles, producing privilege creep that violates least privilege. Certification is a governance control over entitlements, unrelated to login speed or eliminating authentication.
- An architect must choose how to externalize fine-grained authorization so that policy logic is not scattered through application code. Which component evaluates the policy and renders the access decision?
- A policy decision point (PDP) that evaluates externalized policy and returns permit or deny
- A policy enforcement point that intercepts requests but does not evaluate policy
- A directory server that stores user attributes only
- A certificate authority that issues identity certificates
Correct answer: A policy decision point (PDP) that evaluates externalized policy and returns permit or deny
A policy decision point (PDP) evaluates externalized policy and returns a permit or deny result, centralizing authorization logic outside application code. The policy enforcement point (PEP) intercepts the request and enforces the PDP's decision but does not itself evaluate the rules. Directory servers supply attributes and certificate authorities issue credentials; neither renders the authorization decision.
- In the XACML-style externalized authorization model, what is the role of the policy information point (PIP)?
- It encrypts the communication channel between services
- It supplies additional attribute values about the subject, resource, or environment that the decision point needs to evaluate policy
- It stores and administers the authorization policies
- It enforces the final permit or deny decision at the resource
Correct answer: It supplies additional attribute values about the subject, resource, or environment that the decision point needs to evaluate policy
In the XACML-style model, the policy information point (PIP) supplies additional attribute values about the subject, resource, or environment that the decision point needs to evaluate policy. The PIP feeds data to the PDP, which decides, while the PEP enforces and the policy administration point manages the rules. The PIP itself neither decides nor enforces nor encrypts.
- An architect must establish a trust relationship for federation between the enterprise identity provider and an external service provider. Which artifact is exchanged to enable validation of signed assertions?
- A shared single administrator account
- Public-key certificates and metadata that let each party validate the other's signed messages
- The internal IP addresses of each application server
- The end users' plaintext passwords
Correct answer: Public-key certificates and metadata that let each party validate the other's signed messages
Establishing federation trust involves exchanging public-key certificates and metadata that let each party validate the other's signed messages. The service provider uses the identity provider's published certificate to verify assertion signatures, and metadata conveys endpoints and supported bindings. Federation never requires sharing user passwords or a single shared administrator account.
- An architect is selecting an authentication protocol for centralized network access control of administrators logging into network devices, with full command-level authorization and accounting. Which protocol family is most appropriate?
- A AAA protocol such as TACACS+ or RADIUS that centralizes authentication, authorization, and accounting
- SMTP for relaying authentication emails
- DNS for resolving device names to addresses
- NTP for synchronizing device clocks
Correct answer: A AAA protocol such as TACACS+ or RADIUS that centralizes authentication, authorization, and accounting
A AAA protocol such as TACACS+ or RADIUS is most appropriate for centralizing authentication, authorization, and accounting for administrators on network devices. TACACS+ in particular separates these functions and supports granular command-level authorization, while RADIUS combines authentication and authorization. SMTP, DNS, and NTP serve mail, name resolution, and time, not access control.
- An architect wants risk-based authentication that requires stronger proof only when context indicates elevated risk, such as an unfamiliar device or impossible travel. Which design supports this?
- Adaptive authentication that evaluates contextual signals and steps up factors when risk thresholds are exceeded
- A fixed single factor applied identically to every login regardless of context
- Authentication performed once with no subsequent evaluation
- Removing authentication for users on the internal network
Correct answer: Adaptive authentication that evaluates contextual signals and steps up factors when risk thresholds are exceeded
Adaptive (risk-based) authentication evaluates contextual signals such as device, location, and behavior, and steps up factors when risk thresholds are exceeded. This lets low-risk logins stay frictionless while high-risk attempts face additional challenges, advancing a zero-trust posture. A uniform single factor or a one-time login cannot respond to changing risk, and trusting the internal network contradicts zero trust.
- An architect needs to provision identities into many SaaS applications using a standardized, automated protocol rather than custom scripts. Which standard is purpose-built for cross-domain identity provisioning?
- ARP, an address resolution protocol
- SCIM (System for Cross-domain Identity Management), a REST-based provisioning standard
- ICMP, a network control message protocol
- SMTP, a mail transfer protocol
Correct answer: SCIM (System for Cross-domain Identity Management), a REST-based provisioning standard
SCIM (System for Cross-domain Identity Management) is the REST-based standard purpose-built for automated cross-domain identity provisioning and deprovisioning into SaaS applications. It defines schemas and operations so an identity provider can create, update, and disable accounts consistently. SMTP, ICMP, and ARP are unrelated networking protocols with no provisioning role.
- An architect is choosing between synchronizing identities into each application versus presenting a unified view without copying data. Which technology presents a consolidated directory view across multiple back-end stores without replicating the data?
- A static export file regenerated nightly
- A full replica copied into every application's local database
- A single flat VLAN connecting all directories
- A directory virtualization service that aggregates multiple directories into a single logical view at query time
Correct answer: A directory virtualization service that aggregates multiple directories into a single logical view at query time
A directory virtualization service aggregates multiple directories into a single logical view at query time without replicating the underlying data. Applications query one virtual endpoint while the service federates lookups to the real back-end stores, avoiding the staleness and sprawl of copying data everywhere. Full replicas and nightly exports duplicate data, and a VLAN is a network construct, not a directory.
- An architect must decide how privileged session credentials are handled so that administrators never directly know the target system passwords. Which PAM capability achieves this?
- Disabling password rotation to keep credentials stable
- Credential vaulting with brokered, proxied sessions so the vault injects secrets without revealing them to the user
- Letting each admin set and memorize permanent device passwords
- Posting the shared admin password in a team wiki
Correct answer: Credential vaulting with brokered, proxied sessions so the vault injects secrets without revealing them to the user
Credential vaulting with brokered, proxied sessions lets the PAM vault inject secrets into a session without revealing them to the administrator. The vault checks out and rotates the credential and proxies the connection, so the human never learns the password, reducing reuse and theft risk. Wiki-posted, memorized, or non-rotated credentials reintroduce exactly the exposure vaulting removes.
- An architect designs the authorization workflow for granting access to a sensitive system. Which sequence reflects sound governance over the access lifecycle?
- Permanent grant at request with no review or revocation
- Self-issuance by the requester with no approval step
- Request, approval by an accountable owner, issuance, periodic review, and revocation when no longer needed
- Issuance first, with approval only requested after access is already granted
Correct answer: Request, approval by an accountable owner, issuance, periodic review, and revocation when no longer needed
Sound authorization governance follows request, approval by an accountable owner, issuance, periodic review, and revocation when access is no longer needed. This ensures entitlements are justified, owned, recertified, and removed at end of need, supporting least privilege over time. Issuing before approval or self-issuing with no review removes the control that keeps access appropriate.
- An architect is implementing single sign-on but must ensure that one compromised SSO session cannot silently authorize the most sensitive transactions. Which complementary control is most appropriate?
- Step-up (re-)authentication that requires an additional factor for high-sensitivity actions even within an active SSO session
- Extending the SSO session lifetime indefinitely to reduce prompts
- Granting the SSO session full administrative rights by default
- Disabling logout so sessions never terminate
Correct answer: Step-up (re-)authentication that requires an additional factor for high-sensitivity actions even within an active SSO session
Step-up re-authentication, which requires an additional factor for high-sensitivity actions even within an active SSO session, ensures a single compromised session cannot silently authorize critical transactions. SSO improves usability for routine access, but sensitive operations warrant fresh proof. Extending session lifetime, granting default admin rights, or disabling logout all increase the damage a hijacked session can do.
- An architect must reconcile separation of duties with role design in RBAC. Which RBAC feature directly enforces that conflicting roles are not simultaneously held by one user?
- Granting every user all roles to maximize flexibility
- Assigning roles based only on seniority
- Removing all role constraints to simplify administration
- Static separation-of-duties constraints that prohibit assigning mutually exclusive roles to the same user
Correct answer: Static separation-of-duties constraints that prohibit assigning mutually exclusive roles to the same user
Static separation-of-duties constraints in RBAC prohibit assigning mutually exclusive roles to the same user, directly enforcing separation of duties at the role level. By defining conflicting role pairs that cannot coexist, the architecture prevents a single individual from acquiring an unsafe combination of capabilities. Granting all roles or removing constraints would defeat separation of duties entirely.
- An architect evaluates token-based versus certificate-based authentication approaches for service identities. Which statement is accurate?
- Certificate-based authentication uses an asymmetric key pair and a CA-issued certificate to prove identity, while token-based authentication presents a bearer or sender-constrained credential issued by an authority
- Certificate-based authentication requires sharing the private key with the verifier
- Token-based authentication always uses a physical smart card while certificates never do
- Token-based and certificate-based authentication both require the verifier to store the user's password
Correct answer: Certificate-based authentication uses an asymmetric key pair and a CA-issued certificate to prove identity, while token-based authentication presents a bearer or sender-constrained credential issued by an authority
Certificate-based authentication uses an asymmetric key pair and a CA-issued certificate to prove identity, while token-based authentication presents a bearer or sender-constrained credential issued by an authority. Certificates rely on the holder retaining the private key (never shared), and proof comes from signing a challenge. Neither approach requires the verifier to store the user's password.
- An architect must protect against privilege escalation through nested or transitive group memberships in a directory. Which design practice most reduces this risk?
- Granting permissions only through deeply nested groups by default
- Allowing unlimited nesting depth without review to simplify administration
- Disabling group-based access entirely and assigning all rights per user
- Regularly analyzing effective permissions including inherited and nested group memberships to detect unintended privilege accumulation
Correct answer: Regularly analyzing effective permissions including inherited and nested group memberships to detect unintended privilege accumulation
Regularly analyzing effective permissions, including inherited and nested group memberships, detects unintended privilege accumulation that direct grants alone do not reveal. Transitive memberships can silently confer entitlements far beyond intent, so computing effective access is essential. Unlimited unreviewed nesting hides risk, and abandoning groups for per-user grants reintroduces the unmanageability RBAC solves.
- An architect is defining how OAuth scopes should be designed for an API platform to uphold least privilege for client applications. Which approach is best?
- Grant every client full administrative scope by default
- Define narrow, granular scopes so each client requests only the specific permissions it needs
- Use scopes only for logging and ignore them in authorization decisions
- Issue a single all-encompassing scope to every client for simplicity
Correct answer: Define narrow, granular scopes so each client requests only the specific permissions it needs
Defining narrow, granular scopes so each client requests only the specific permissions it needs upholds least privilege on an API platform. Fine-grained scopes constrain what a compromised token can do and make consent meaningful. A single broad scope, default admin scope, or scopes ignored at enforcement time all expand the blast radius of a leaked token.
- An architect designs continuous, identity-centric access evaluation aligned with zero trust. Which behavior best characterizes this approach?
- Access is granted permanently once the user passes the first login
- Authorization is cached forever to minimize policy evaluations
- Access decisions are continuously re-evaluated against current identity, device, and context signals rather than trusted indefinitely after initial login
- Trust is assigned based on the user being inside the corporate network
Correct answer: Access decisions are continuously re-evaluated against current identity, device, and context signals rather than trusted indefinitely after initial login
In a zero-trust, identity-centric model, access decisions are continuously re-evaluated against current identity, device, and context signals rather than trusted indefinitely after initial login. If risk rises or context changes, access can be challenged or revoked mid-session. Permanent post-login trust, location-based trust, and forever-cached authorization all contradict continuous evaluation.
- An architect must select an identifier strategy when assigning identities to users, services, and devices across many systems. Which practice best preserves accountability and avoids ambiguity?
- Assign each entity a unique, non-reusable identifier that is not shared across distinct principals
- Allow multiple people to share one generic identifier for a role
- Reuse a departed employee's identifier for the next new hire
- Rotate identifiers randomly so they cannot be correlated over time
Correct answer: Assign each entity a unique, non-reusable identifier that is not shared across distinct principals
Assigning each entity a unique, non-reusable identifier that is not shared across distinct principals preserves accountability and avoids ambiguity. Reusing or sharing identifiers breaks attribution, since actions can no longer be tied to a single responsible entity, and recycling a departed user's ID can wrongly link old access to a new person. Unique, persistent identifiers underpin reliable auditing.
- An architect compares federation protocols and must decide when SAML versus OpenID Connect is the better fit for a new integration. Which guidance is most accurate?
- The two protocols cannot coexist in the same identity provider
- SAML is preferred for native mobile apps because of its lightweight JSON tokens
- SAML suits browser-based enterprise SSO with legacy SaaS, while OpenID Connect suits modern web, mobile, and API scenarios needing JSON/JWT-based identity
- OpenID Connect should be used only for XML-based legacy applications
Correct answer: SAML suits browser-based enterprise SSO with legacy SaaS, while OpenID Connect suits modern web, mobile, and API scenarios needing JSON/JWT-based identity
SAML suits browser-based enterprise SSO and integration with legacy SaaS, while OpenID Connect suits modern web, mobile, and API scenarios needing JSON/JWT-based identity. SAML uses XML assertions favored by established enterprise applications; OIDC's lightweight JWTs and OAuth foundation fit mobile and API-centric designs. Most enterprise identity providers support both simultaneously rather than forcing a single choice.
- An architect must specify phishing-resistant workforce authentication at the highest authenticator assurance level (AAL3) under the current NIST Digital Identity Guidelines. A vendor proposes cloud-synced passkeys that roam across a user's devices. Why do synced passkeys fall short of AAL3, and what should the architect specify instead?
- Synced passkeys fall short because they are not phishing-resistant, so the architect should require SMS one-time passcodes for the second factor
- Synced passkeys already satisfy AAL3, so the architect can approve them without any additional hardware requirement
- Synced passkeys fall short because their private keys are exportable through the cloud sync fabric; AAL3 requires a hardware-bound authenticator with a non-exportable private key, such as a FIDO2 security key or smart card
- Synced passkeys fall short only because they are slower to use; the architect should keep them and simply extend session lifetimes
Correct answer: Synced passkeys fall short because their private keys are exportable through the cloud sync fabric; AAL3 requires a hardware-bound authenticator with a non-exportable private key, such as a FIDO2 security key or smart card
Synced passkeys fall short of AAL3 because their private keys are exportable through the cloud sync fabric, and AAL3 requires a hardware-bound authenticator with a non-exportable private key, such as a FIDO2 security key or smart card. The current NIST guidance treats synced passkeys as phishing-resistant and acceptable at AAL2, but reserves AAL3 for device-bound credentials whose keys cannot leave the authenticator. The distinction is exportability, not phishing resistance, so falling back to SMS would actually reduce resistance to phishing rather than raise assurance.
- In a NIST SP 800-207 zero-trust architecture, the policy decision point is decomposed into two cooperating elements. Which description correctly assigns their responsibilities for an access request?
- The policy engine encrypts the data channel, while the policy administrator stores the user's password for later reuse
- The policy engine physically sits in front of each resource and blocks packets, while the policy administrator writes the firewall rules by hand
- The policy engine and policy administrator are the same component under different names and perform identical functions
- The policy engine renders the trust decision (grant, deny, or revoke) using policy and contextual inputs, while the policy administrator establishes or tears down the session and signals the enforcement point to allow or block the connection
Correct answer: The policy engine renders the trust decision (grant, deny, or revoke) using policy and contextual inputs, while the policy administrator establishes or tears down the session and signals the enforcement point to allow or block the connection
In NIST SP 800-207, the policy engine renders the trust decision (grant, deny, or revoke) by evaluating policy and contextual inputs, while the policy administrator establishes or tears down the session and signals the policy enforcement point to allow or block the connection. The policy engine and policy administrator together form the logical policy decision point, and the enforcement point sits near the resource carrying out the decision. They are distinct roles, and neither stores passwords nor performs transport encryption as its defining function.
- Under NIST SP 800-162, an architect is defining the inputs an ABAC policy decision evaluates. Which set correctly enumerates the categories of attributes the access control mechanism combines against policy?
- Subject attributes, object (resource) attributes, the requested operation, and environment conditions
- The resource owner's discretionary grant list and the subject's password strength
- Only the subject's assigned static role and nothing else
- Only the source IP address and the time the request arrives
Correct answer: Subject attributes, object (resource) attributes, the requested operation, and environment conditions
Under NIST SP 800-162, an ABAC decision combines subject attributes, object (resource) attributes, the requested operation, and environment conditions against the governing policy. Evaluating all four categories is what lets ABAC express context-aware rules, such as permitting a subject in a given department to read a resource of a given classification during business hours. Limiting the decision to a static role, an IP and time, or an owner's discretionary list describes RBAC, a coarse network rule, or DAC, not ABAC.
- An architect is hardening a Kerberos design against replay of captured authentication messages on the corporate network. Which mechanism within the Kerberos exchange most directly defeats replay of a client's proof of identity to a service?
- Embedding the client's public certificate in the ticket so the service can look it up in a public registry
- An authenticator containing a timestamp, encrypted with the session key, which the service checks for freshness and rejects if it falls outside the allowed clock-skew window or has been seen before
- Transmitting the user's password to the service so it can be compared on every request
- Disabling time synchronization so that timestamps cannot be compared at all
Correct answer: An authenticator containing a timestamp, encrypted with the session key, which the service checks for freshness and rejects if it falls outside the allowed clock-skew window or has been seen before
Replay is defeated by the authenticator, which contains a timestamp encrypted with the session key; the service verifies the timestamp is fresh, rejects messages outside the allowed clock-skew window, and discards previously seen authenticators. Because only the legitimate client holds the session key, an attacker who captures and resends the message cannot produce a fresh, validly encrypted authenticator. This is why Kerberos depends on synchronized clocks, and why disabling time synchronization would break the very control that stops replay; Kerberos uses symmetric session keys and tickets rather than transmitted passwords or public certificates.
- An architect is choosing a centralized AAA protocol for administrative access to network infrastructure and is concerned that an attacker passively sniffing the management segment could read usernames, authorized commands, and accounting data in transit. Which protocol best addresses this concern, and why?
- RADIUS, because running over TCP it guarantees the entire exchange is encrypted end to end
- TACACS+, because it encrypts the entire body of the packet (not just the password) and runs over connection-oriented TCP, concealing usernames and per-command authorization from a passive sniffer
- RADIUS, because it encrypts the full packet body including the username and every attribute
- TACACS+, because it sends all attributes in cleartext but compensates with a faster UDP transport
Correct answer: TACACS+, because it encrypts the entire body of the packet (not just the password) and runs over connection-oriented TCP, concealing usernames and per-command authorization from a passive sniffer
TACACS+ best addresses the concern because it encrypts the entire body of the packet rather than only the password, and it runs over connection-oriented TCP, so a passive sniffer cannot read usernames or per-command authorization details. RADIUS, by contrast, encrypts only the password attribute in its access-request and leaves the username, authorized services, and accounting data exposed, and it uses connectionless UDP. TACACS+ also separates authentication, authorization, and accounting, which supports granular command-level control for device administration.
- An architect wants leaver events to remove access from cloud SaaS within minutes rather than at the next nightly batch. The enterprise already federates authentication and uses SCIM with its applications. Which design most directly achieves near-real-time deprovisioning?
- Rotate the application's shared service password each quarter and treat that as deprovisioning for individual leavers
- Leave the SaaS accounts active but ask end users to stop using them after they are terminated
- Wait for the nightly reconciliation job, since real-time deprovisioning is not achievable with standards-based provisioning
- Trigger SCIM deactivation or delete operations from the authoritative HR or identity source the moment a termination event is recorded, so connected applications disable the account immediately, and rely on short-lived federated tokens so existing sessions expire quickly
Correct answer: Trigger SCIM deactivation or delete operations from the authoritative HR or identity source the moment a termination event is recorded, so connected applications disable the account immediately, and rely on short-lived federated tokens so existing sessions expire quickly
Near-real-time deprovisioning is achieved by triggering SCIM deactivation or delete operations from the authoritative HR or identity source the instant a termination event is recorded, so connected applications disable the account immediately, paired with short-lived federated tokens so any active session expires quickly. Event-driven provisioning closes the window that batch reconciliation leaves open, during which a departed insider retains live access. Relying on nightly jobs, voluntary user behavior, or quarterly password rotation leaves orphaned, exploitable access in place.
- An architect is designing how resource servers validate OAuth 2.0 access tokens at scale and must weigh self-contained JWT access tokens against opaque tokens validated by introspection. Which trade-off statement is accurate?
- Opaque tokens cannot be revoked because they contain no embedded claims, while JWTs are revoked instantly by the resource server
- A JWT access token is always opaque and must be sent to the introspection endpoint, while an opaque token carries all claims for local validation
- Both JWT and opaque tokens are revoked instantly and identically, so the choice has no security implications
- A self-contained JWT can be validated locally by checking its signature and claims without calling the authorization server, but cannot be revoked before expiry; an opaque token validated via the introspection endpoint supports near-real-time revocation at the cost of a network call per validation
Correct answer: A self-contained JWT can be validated locally by checking its signature and claims without calling the authorization server, but cannot be revoked before expiry; an opaque token validated via the introspection endpoint supports near-real-time revocation at the cost of a network call per validation
A self-contained JWT access token can be validated locally by verifying its signature and claims without calling the authorization server, but it generally cannot be revoked before its expiry, so short lifetimes are essential. An opaque token validated through the introspection endpoint lets the authorization server report current status, enabling near-real-time revocation, but it costs a network round trip on each validation (often mitigated with brief caching). Choosing between them is a genuine trade-off between performance and immediacy of revocation, not a wash, and the two token types are not interchangeable in how they are validated.