Passwords can be required to change monthly, quarterly, or at other intervals:

A.
depending on the criticality of the information needing protection.

B.
depending on the criticality of the information needing protection and the password’s frequency of use.

C.
depending on the password’s frequency of use.

D.
not depending on the criticality of the information needing protection but depending on the password’s
frequency of use.

Explanation:
A password that is the same for each log-on is called a static password. A password that changes with each
log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes.
Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the
information needing protection and the password’s frequency of use. Obviously, the more times a password is
used, the more chance there is of it being compromised.
Incorrect Answers:
A: This answer is not complete. Passwords can also be required to change depending on the password’s
frequency of use.
C: This answer is not complete. Passwords can also be required to change depending on the criticality of the
information needing protection.
D: Passwords CAN be required to change depending on the criticality of the information needing protection.

Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley
Publishing, Indianapolis, 2007, p. 57