Which of the following questions is LESS likely to help in assessing identification and authentication controls?

A.
Is a current list maintained and approved of authorized users and their access?

B.
Are passwords changed at least every ninety days or earlier if needed?

C.
Are inactive user identifications disabled after a specified period of time?

D.
Is there a process for reporting incidents?

Explanation:
Identification and authentication controls ensure standard security practices are adhered to. These include
maintaining a list of authorized users and their access, password expiration and disabling inactive user
accounts.
Incident reporting is not related to identification or authentication. Therefore, the question: “Is there a process
for reporting incidents?” will not help in assessing identification and authentication controls.
Incorrect Answers:
A: Identification and authentication controls should include a maintained and approved list of authorized users
and their access. Asking about this will help in assessing identification and authentication controls.
B: Identification and authentication controls should include a password expiration policy to ensure passwords
are changed on a regular basis. Asking about this will help in assessing identification and authentication
controls.
C: Identification and authentication controls should include inactive accounts being disabled. Asking about this
will help in assessing identification and authentication controls.