CERTIFIED-IN-CYBERSECURITY Question #477: Real Exam Question with Answer & Explanation

Question

What type of access control model is based on user clearance and object classification?

Options

• ARule-based access control (RuBAC)
• BMandatory access control (MAC)
• CRole-based access control (RBAC)
• DDiscretionary access control (DAC)

Explanation

In a mandatory access control model, users are granted access based on their security clearance level and the classification level of the object or information they are trying to access (see ISC2 Study Guide, Chapter 3, Module 3). For example, MAC might be implemented to protect data in a government agency that handles classified information. If an analyst has a Secret clearance, he or she would only be allowed access to documents classified Secret or below. Similarly, if a document is classified Top Secret, only users with Top Secret clearance would have access. This clearance hierarchy protects sensitive information from unauthorized and potentially harmful access. The other options are incorrect because of the following. Discretionary Access Control (DAC) allows users to control access to their own data, which doesn't match the premise of the clearance level or object classification. Role-based access control (RBAC) is incorrect because it assigns access rights based on predefined organizational roles, not clearance levels. Finally, rule- based access control (RuBAC) is incorrect because it allows or restricts access based on a set of predefined system rules, not on a user's clearance level or an object's classification.

No community discussion yet for this question.