1. A database storing user passwords was breached. The attacker finds that all passwords are stored as bcrypt hashes with unique salts. What does this storage method prevent, and why is it more secure than storing SHA-256 hashes without salt?
2. A government intelligence agency uses a system where user access is determined by security clearance labels (Top Secret, Secret, Unclassified) applied by the system administrator, and users cannot grant access to other users regardless of their own clearance level. Which access control model is this?
3. A plumber arrives to repair pipes in a corporate data center. The reception desk issues the plumber a visitor badge and has the facilities manager escort the plumber throughout the visit. Which physical security standard is being followed, and why is the escort requirement specifically necessary for visitors (not just employees)?
4. A company's encryption standard requires AES-256 for laptops and TLS 1.3 for web application traffic. Which data states do these requirements address, respectively?
5. An organization achieves ISO/IEC 27001 certification. What does this certification demonstrate, and how does ISO 27001 differ from NIST SP 800-53?
6. A company's access control standard requires that when an employee's contract ends, their system access is removed on the last day of employment. The HR department typically submits access removal requests 3–5 business days after the last day. What risk does this gap create, and what access control process should the standard specify?
Matching: Access Control Models
Match each access control model (1–4) to its defining characteristic (A–D).
1MAC
2DAC
3RBAC
4ABAC
AAccess is determined by job function; users inherit permissions assigned to their position; most common enterprise model
BSystem enforces access based on classification labels; users cannot grant access beyond their clearance level; used in classified environments
CResource owner decides who can access their resources; typical of standard OS file permissions
DAccess decisions use multiple attributes simultaneously: user attributes, resource attributes, and environmental conditions like time and location