CSC Identity and Access Management (IAM) Compliance 3

Question 1

What compliance consideration specifically applies to biometric authentication data under U.S. and international regulations?

Accepted Answer

Biometric data is classified as sensitive personal data under laws like GDPR and Illinois BIPA, requiring consent, secure storage, and breach notification

Answer

Biometric data is fully exempt from all privacy and data protection regulations

Answer

Biometrics automatically satisfy all authentication compliance requirements without additional controls

Answer

Biometric systems do not require user consent because data is collected passively

Question 2

Why do service accounts require special IAM compliance attention in an organization?

Accepted Answer

Service accounts are non-human accounts used by applications with often-elevated privileges that lack standard interactive controls like password rotation

Answer

Service accounts are customer-facing accounts used for online banking portals

Answer

Service accounts are temporary accounts created exclusively for contractors

Answer

Service accounts are only used by IT help desk staff for tier-1 support

Question 3

Under SOX compliance, what specific IAM control is required for access to financial reporting systems?

Accepted Answer

Separation of duties and access controls preventing unauthorized modification of financial reporting data

Answer

Only C-suite executives require formal access controls on financial systems

Answer

All employees must be granted access to financial systems for operational transparency

Answer

Financial reporting systems are explicitly excluded from IAM compliance requirements

Question 4

What is an access certification (recertification) campaign?

Accepted Answer

A periodic review process where managers formally attest to the appropriateness of their employees' current access rights

Answer

A training program that certifies IAM administrators in a specific vendor product

Answer

A marketing certification awarded to IAM software vendors

Answer

An automated script that removes all inactive user accounts from directory services

Question 5

What is the compliance-recommended approach to managing access for contractors and temporary workers?

Accepted Answer

Provide time-limited accounts scoped to specific project needs with automatic expiration dates

Answer

Grant contractors the same permanent access as full-time employees to avoid administrative overhead

Answer

Deny contractors any system access and require them to work through a full-time employee's account

Answer

Allow contractors to self-provision any access they determine they need without IT oversight

Question 6

Which NIST Special Publication provides the federal standard for digital identity, authentication levels, and identity lifecycle management?

Accepted Answer

NIST SP 800-63 (Digital Identity Guidelines)

Answer

NIST SP 800-53 (Security and Privacy Controls)

Answer

NIST SP 800-171 (Protecting CUI in Nonfederal Systems)

Answer

NIST SP 800-37 (Risk Management Framework)

Question 7

What is deprovisioning and why is timely deprovisioning a critical compliance requirement?

Accepted Answer

Promptly revoking a departed or role-changed employee's access rights to prevent unauthorized access

Answer

Adding and configuring new user accounts when employees join the organization

Answer

Gradually upgrading user permissions as they gain organizational experience

Answer

Creating encrypted backups of user credential databases for disaster recovery