CERTIFIED-IN-CYBERSECURITY Question #256: Real Exam Question with Answer & Explanation

Question

What model is utilized in Mandatory Access Control (MAC)?

Options

• AGroup based
• BRule based
• CDiscretionary
• DLattice based

Explanation

Mandatory access control (MAC) is a security model in which access decisions are based on labels assigned to resources and the clearance level of subjects seeking access (see ISC2 Study Guide, Module 3, under Mandatory Access Control). In this model, the lattice structure is used to determine the highest level of access an individual can have based on their security clearance level and the sensitivity level of the resource they are attempting to access. Let us imagine a military base where sensitive information related to national security is stored. To manage access to this information, the base employs a Mandatory Access Control (MAC) model, specifically a lattice-based structure. In this structure, every individual (subject) who has access to the base is assigned a security clearance level. These levels could range from "Confidential" to "Secret" to "Top Secret", each representing increasing levels of trust and access. Simultaneously, every piece of information or resource on the base is also assigned a sensitivity label, such as "Unclassified", "Confidential", "Secret", or "Top Secret". Access to a resource is only granted if the subject's clearance level is equal to or higher than the sensitivity level of the resource. For example, a soldier with a "Secret" clearance level can access resources marked as "Confidential" and "Secret", but not those marked as "Top Secret". Regarding the other options, Discretionary Access Control (DAC) is not used in MAC, as it allows individual administrators to make decisions and achieve scalability and flexibility, while MAC requires a centralized decision- making process. Group-based and Rule-based access control are not models but methods of implementing access control

No community discussion yet for this question.