Identity and Access Management (IAM) and Security Assessment and Testing

Domain 5 – Identity and Access Management
please respond to one or more of the following questions.

  1. Describe the controls contained within the three Access Control categories that can be integrated within a defense-in-depth model and give an example of one that you have read about or have knowledge of from your own experience.
  2. Describe three threats to Access Control from what were covered within the reading and give an example of each.
  3. Describe three of the intrusion detection system types used in access control monitoring covered within the reading. What is a honeypot and what are the legal concerns with using them?
  4. What are the challenges that an Identity and Access Management system helps overcome? What benefits does it provide?
  5. Describe the process of Identification, Authentication, Authorization, and Accountability. What is a race condition?
  6. Discuss the single sign-on technologies Kerberos, security domains, directory services and thin clients. What does federation provide?

Domain 6 – Security Assessment and Testing
please respond to one or more of the following questions.

  1. Describe the steps in the information system security audit process.
  2. Describe the differences between Black box, White box, and Gray box forms of vulnerability and penetration testing.
  3. What are the five steps a team goes through when conducting a penetration test? What are the three degrees of knowledge that a penetration team can have about the target?
  4. Discuss any three of the commonly exploited vulnerabilities targeted in penetration tests and the appropriate countermeasures to mitigate them.
  5. Discuss the various test types that Operations and Security Departments should carry out to monitor the environment’s vulnerability to attack.
  6. Define the following KPI terms: factor, measurement, baseline, metric, and indicator. What is the difference between a KPI and KRI?
  7. What are the key elements that should be included in a good technical audit report? What should be included to provide senior management a brief overview of the report highlights?

Leave a Reply