CERTIFIED-IN-CYBERSECURITY Question #502: Real Exam Question with Answer & Explanation

Question

What is the primary benefit of using a rule-based access control (RuBAC) model? ()

Options

• AIt enables the creator of the object to dictate access
• BIt provides dynamic access control based on pre-defined rules
• CAllows the last user to determine access
• DAllows the CEO or CISO to have ultimate control

Explanation

Rule-based access control (RuBAC) provides dynamic access control based on predefined rules. The RuBAC model is implemented with system-level preconditions that dictate which users are granted access to certain aspects of the system. An example of this would be an organization that implements a rule that only Human Resources employees can access employee personal information during business hours. The other options are incorrect for the following reasons. Suggesting that the CEO or CISO would have ultimate control is incorrect because RuBAC is based on established rules, not individual decision-making authority. The CEO/CISO's input would likely be considered when the rules are set, but the control lies with the defined rules in a RuBAC model. The idea that the creator of an object gets to dictate access refers to the concept of Discretionary Access Control (DAC). In a RuBAC model, access control is not determined by the creators of individual objects or resources, but by predefined rules established at the system level. Finally, the idea that the last user determines access is a very insecure practice and not a feature of RuBAC.

No community discussion yet for this question.