CERTIFIED-IN-CYBERSECURITY Question #557: Real Exam Question with Answer & Explanation

Question

What is the difference between 'implicit deny' and 'explicit deny' in access control?

Options

• A'Implicit deny' means that access is denied unless specifically granted, while 'explicit deny' means
• B'Implicit deny' means system administrators have access denied, while explicit deny means the
• CThere is no difference between 'implicit deny' and 'explicit deny'
• D'Implicit deny' means the last user to access the system denied access, while 'explicit deny'

Explanation

In access control systems, implicit deny works on the principle that access is automatically denied unless it is explicitly granted (see ISC2 Study Guide, Chapter 3, Module 3). For example, in an organization, if a particular employee has not been given specific permissions to access a confidential folder on a shared drive, access is denied by default (or implicitly). Conversely, an 'explicit deny' is a condition that explicitly denies access to a user or group, overriding all other permissions. For example, suppose a rule explicitly denies an employee access to a particular database. In this case, they will not be able to access it, regardless of whether they have a general access privilege to other databases. As for the other options, 'implicit deny' does not specifically deny access to the system administrator, while 'explicit deny' has nothing to do with the user who created the object. In addition, both implicit deny and explicit deny are not about the last user to access the system. Finally, as explained earlier, the notion that there is no difference between implicit deny and explicit deny is incorrect.

No community discussion yet for this question.