CPA Exam Lab
All patterns
Security and system resilience

The Access Gate

Prove identity, then grant the least access: authentication uses factors, authorization uses roles, and termination triggers prompt deprovisioning.

How the exam words it

The playbook

  1. 1Test authentication by factor category: something you know (a password), something you have (a token), and something you are (a biometric); true MFA combines two different categories.
  2. 2Grant authorization on least privilege through role-based access control, assigning permissions to roles rather than to individuals.
  3. 3Deprovision promptly on termination or transfer, disabling access on the effective date, and review access rights periodically.
  4. 4Recognize supporting controls: hashing protects integrity (it is irreversible), a DMZ isolates public-facing servers, and segmentation limits lateral movement.

The trap

Counting two passwords as multifactor authentication, or thinking hashing provides confidentiality. MFA needs two different factor categories, and hashing is one-way integrity, not encryption.

How the exam varies it

The same pattern, re-skinned along these axes:

Authentication factor categories and what counts as MFAAuthorization by role (RBAC) and least privilegeTermination deprovisioning versus network segmentation and hashing

Drill this pattern

8 questions of The Access Gate from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 1 ISC topic