Pass CISSP Exam Guide

The access control methodology that best describes the scenario is Role Based Access Control (RBAC). RBAC is a type of access control that assigns permissions and privileges to the users or the devices based on their roles or functions in the organization, rather than their identities or attributes. RBAC can simplify and streamline the access control management, as it can reduce the complexity and redundancy of the access control policies and procedures, and it can support the principle of least privilege and the separation of duties. The scenario indicates that the application access is based on job classification, which is a characteristic of RBAC, as the job classification can define the role or the function of the user or the device in the organization. Least privilege, Lattice Based Access Control (LBAC), and Lightweight Directory Access Control (LDAP) are not the access control methodologies that best describe the scenario, as they are related to the minimum level of access required, the mathematical model of access rights, or the protocol for accessing directory services, not the role or the function of the user or the device in the organization. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 667. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 683.

The best way to mitigate a replay attack against a system using identity federation and Security Assertion Markup Language (SAML) implementation is to use timed sessions and Secure Socket Layer (SSL). A replay attack is a type of network attack that involves capturing and retransmitting a valid message or data to gain unauthorized access or perform malicious actions. Identity federation is a process that enables the sharing of identity information across different security domains, such as different organizations or applications. SAML is a standard protocol that enables identity federation by using XML-based assertions to exchange authentication and authorization information. To prevent a replay attack, the system can use timed sessions and SSL. Timed sessions are sessions that have a limited duration and expire after a certain period of time or inactivity. SSL is a protocol that provides encryption and authentication for data transmission over the internet. By using timed sessions and SSL, the system can ensure that the SAML assertions are valid, fresh, and secure, and that they cannot be reused or tampered with by an attacker. Two-factor authentication, digital certificates and hardware tokens, and passwords with alpha-numeric and special characters are not the best ways to mitigate a replay attack against a system using identity federation and SAML implementation, as they do not address the specific vulnerabilities of the SAML protocol or the network transmission. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 462. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 478.

Encrypting the entire disk and deleting the contents after a set number of failed access attempts provides the most protection against data theft of sensitive information when a laptop is stolen. This method ensures that the data is unreadable without the correct decryption key, and that the data is erased if someone tries to guess the key or bypass the encryption. Setting up a BIOS and operating system password, encrypting the virtual drive, or implementing a policy are less effective methods, as they can be circumvented by physical access, booting from another device, or copying the data to another location. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, p. 269; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), p. 521.

The best indicator of where the IT budget is best allocated during this time is the metrics. The metrics are the measurements or the indicators of the performance, the effectiveness, the efficiency, or the quality of the IT processes, activities, or outcomes. The metrics can help to allocate the IT budget in a rational, objective, and evidence-based manner, as they can show the value, the impact, or the return of the IT investments, and they can identify the gaps, the risks, or the opportunities for the IT improvement or enhancement. The metrics can also help to justify, communicate, or report the IT budget allocation to the senior management or the stakeholders, and to align the IT budget allocation with the business needs and requirements. Policies, frameworks, and guidelines are not the best indicators of where the IT budget is best allocated during this time, as they are related to the documents or the models that define, guide, or standardize the IT processes, activities, or outcomes, not the measurements or the indicators of the IT performance, effectiveness, efficiency, or quality. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 38. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 53.