Which of the following questions is less likely to help in assessing identification and authentication
controls?

A.
Is a current list maintained and approved of authorized users and their access?

B.
Are passwords changed at least every ninety days or earlier if needed?

C.
Are inactive user identifications disabled after a specified period of time?

D.
Is there a process for reporting incidents?

Explanation:
We just some common sense to answer this question correctly, why are we going to ask about
process reporting for incidents?, does is help relating to identification and authentication?, I don’t
think so. There are other more interesting questions, password deal with authentication, inactive
user Ids are also related to identification. But the most important to me, know if there is a list with
authorized users and their current access, this can help you to identify unauthorized activities.