SSCP Question #177: Real Exam Question with Answer & Explanation

The correct answer is D: Is there a process for reporting incidents?. Questions A, B, and C are all directly relevant to assessing identification and authentication (I&A) controls: maintaining an authorized user list (A), enforcing password expiration policies (B), and disabling inactive accounts (C) are core I&A control activities. Incident report

Submitted by fatema_kw· Apr 18, 2026Access Controls

Question

Which of the following questions is less likely to help in assessing identification and authentication controls?

Options

AIs a current list maintained and approved of authorized users and their access?
BAre passwords changed at least every ninety days or earlier if needed?
CAre inactive user identifications disabled after a specified period of time?
DIs there a process for reporting incidents?

Explanation

Questions A, B, and C are all directly relevant to assessing identification and authentication (I&A) controls: maintaining an authorized user list (A), enforcing password expiration policies (B), and disabling inactive accounts (C) are core I&A control activities. Incident reporting (D) is a separate security domain - it belongs to incident response management, not I&A controls. While important to overall security, it does not directly assess how users are identified or authenticated.

Topics

#Identification#Authentication#Access Control Assessment#Security Controls

Community Discussion

No community discussion yet for this question.

Full SSCP Practice Browse All SSCP Questions