Assessing Identification and Authentication Controls
Question
Which of the following questions is less likely to help in assessing identification and authentication controls?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system.
Access control usually requires that the system be able to identify and differentiate among users.
Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control)
Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-30 to A-32).
All of the options listed are relevant to the assessment of identification and authentication controls, but one of them is less likely to provide specific information related to those controls. The question that is less likely to help in assessing identification and authentication controls is option D, "Is there a process for reporting incidents?"
While incident reporting is an important aspect of security management, it is not directly related to identification and authentication controls. Incident reporting typically deals with the handling of security breaches or violations after they have occurred, rather than the prevention of unauthorized access through identification and authentication controls.
On the other hand, options A, B, and C are all directly related to identification and authentication controls. Option A asks whether a current list of authorized users is maintained and approved, which relates to the process of identifying and verifying users. Option B asks whether passwords are changed regularly, which is a common authentication control used to prevent unauthorized access by requiring users to periodically update their passwords. Option C asks whether inactive user identifications are disabled after a specified period of time, which is also a common control to prevent unauthorized access by removing access privileges from inactive accounts.
In summary, while all of the options listed are relevant to security management, option D is less likely to help in assessing identification and authentication controls as it is focused on incident reporting rather than prevention through access control measures.
