Effective CISSP Questions

Your company is evaluating a physical access control system (PACS) solution. As a security professional, which of the following is the weakest authentication mechanism that you won’t recommend? (Source: Wentz QOTD)
A. ID card using the default PIN code
B. Unattended iris scanning with a high FAR
C. Fingerprint scanning with the default threshold
D. Security guards conducting visual authentication

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security guards conducting visual authentication.

The Weakest Link

The human is the weakest link in the chain of security controls. To err is human, let alone the malicious insiders who have intimate knowledge of corporate systems and infrastructure, or even privileged access.

The vulnerability is reflected and addressed in the FIPS PUB 201-2 that mandates electronic authentication over manual authentication.

VIS authentication

The authentication mechanism that security guards conduct authentication visually is called VIS authentication, which “cannot be verified electronically and provides “LITTLE to NO” confidence in the identity of the cardholder. It should not be used when another mechanism is practical.” (NIST SP 800-116 R1)

Visual authentication entails inspection of the topographical features on the front and back of the PIV Card. The human guard checks to see that the PIV Card looks genuine, compares the cardholder’s facial features with the picture on the card, checks the expiration date printed on the card, verifies the correctness of other data elements printed on the card, and visually verifies the security feature(s) on the card.

The effectiveness of this mechanism depends on the training, skill, and diligence of the guard (to match the face in spite of changes in physical appearance – beard, mustache, hair coloring, eye glasses, etc.) – counterfeit IDs can pass visual inspections easily. Digital scanners, printers, and image editing software have made counterfeiting easier.

Moreover, the visual verification of security features does not scale well across agencies since each agency may implement different security features.

For these reasons, [FIPS201] has downgraded this authentication mechanism to indicate that it provides “LITTLE or NO” confidence in the identity of the cardholder.

Source: (NIST SP 800-116 R1)

Default PIN Code

ID card using the default PIN code is two-factor authentication. Even if it uses weak PIN code and is breached, we still have the protection by the ID card, something you have. Moreover, electronic authentication wins over manual authentication.

High FAR or Default Threshold

“Unattended iris scanning with a high FAR” and “fingerprint scanning with the default threshold” are authentication based on something you are. Because the configuration of high FAR or default threshold depends on the security requirement and control objective, high FAR and default threshold are not necessarily inapplicable. Moreover, electronic authentication wins over manual authentication.


您的公司正在評估一種實體存取控制系統(PACS)的解決方案。該解決方案通過非接觸式智能卡片作為ID憑證來對員工進行身份驗證。 身為安全專家,以下哪一種身份驗證機制最弱,您最不建議採用? (來源:Wentz QOTD)
A. 使用預設PIN碼的識別證
B. 高FAR的無人值守虹膜掃描
C. 使用預設閾值進行指紋掃描
D. 進行視覺認證的保安人員


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.


2 thoughts on “CISSP PRACTICE QUESTIONS – 20200812

  1. “Unattended iris scanning with a high FAR” – how do you know, from the question, that this is less than the security guard’s FAR?

    • According to FIPS 201-2, BIO authentication renders HIGH confidence while VIS authentication (by security guards) provides LITTLE or NO confidence.
      According to NIST SP 800-116 R1, VIS authentication is not an option if other (electronic) authentication mechanisms are available.
      If you work for the US government, you don’t have to prove it, but you have to be compliant with FIPS 201-2.
      If you work for private enterprises, FISP 201-2 and NIST SP 800-116 R1 are good evidence to support your decision.

Leave a Reply