Effective CISSP Questions

Which of the following is the best description of the attribute or attributes that can be used to uniquely trace actions to an entity?
A. Claims
B. Identity
C. Accountability
D. Security assertions

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Identity.

An entity, e.g., an individual (person), organization, device, or process, is anyone or anything that has an identity, which is “the set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.” (NIST SP 800-161)


Accountability relies on identity to uniquely trace actions to an entity. Accountability is “the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.” (NIST SP 800-12 Rev. 1 )

SAML Assertion and OIDC Claim

The term, assertion, is used in SAML, while “claim” is used in OIDC. A SAML assertion carries three types of statements: authentication, attribute, and authorization. An OIDC claim can be treated as a single attribute statement about a subject; a set of user attributes (or claims) is collectively called a scope.

  • An assertion is the “sentence or proposition in logic which is asserted (or assumed) to be true.” (ISO/TS 21526:2019)
  • A claim is an “assertion of identity.” (ISO/IEC 24745:2011)

SAML Assertions

An asserting party is a system entity that makes SAML assertions that carry authentication, attribute, and authorization statements. A relying party is a system entity that uses assertions it has received.

For example, a SAML assertion may carry statements about a subject as follows:

  • The subject is named “Wentz Wu.”
  • The subject has an email address of
  • The subject is a member of the “engineering” group.

OIDC Claims

  • An OIDC claim can be treated as a statement in the SAML assertion.
  • An OIDC scope can be viewed as a SAML assertion.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. 聲明(Claims)
B. 識別(Identity)
C. 問責(Accountability)
D. 安全斷言(Assertions)


Leave a Reply