CISSP Question #151: Real Exam Question with Answer & Explanation

Question

Refer to the information below to answer the question. A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes. In addition to authentication at the start of the user session, best practice would require re- authentication

Options

• Aperiodically during a session.
• Bfor each business process.
• Cat system sign-off.
• Dafter a period of inactivity.

Explanation

This question tests knowledge of session security best practices, specifically when re-authentication should be triggered beyond the initial login.

Common mistakes.

• A. Re-authentication on a purely periodic time basis during an active session is not a standard best practice, as it disrupts productive work without a specific security trigger such as inactivity or privilege escalation.
• B. Requiring re-authentication for every business process would create excessive friction and is not a recognized best practice; role-based access control (RBAC) already governs application access based on job classification as described in the scenario.
• C. Sign-off (logout) terminates the session entirely, so re-authentication at that point is irrelevant and does not constitute a security control - the session is already being ended by the user.

Concept tested. Session re-authentication after inactivity timeout

Reference. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

No community discussion yet for this question.