Which of the following access control models is based on sensitivity labels?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Access decisions are made based on the clearance of the subject and the sensitivity label of the object.
Example: Eve has a "Secret" security clearance and is able to access the "Mugwump Missile Design Profile" because its sensitivity label is "Secret." She is denied access to the "Presidential Toilet Tissue Formula" because its sensitivity label is "Top Secret." The other answers are not correct because: Discretionary Access Control is incorrect because in DAC access to data is determined by the data owner.
For example, Joe owns the "Secret Chili Recipe" and grants read access to Charles.
Role Based Access Control is incorrect because in RBAC access decsions are made based on the role held by the user.
For example, Jane has the role "Auditor" and that role includes read permission on the "System Audit Log." Rule Based Access Control is incorrect because it is a form of MAC.A good example would be a Firewall where rules are defined and apply to anyone connecting through the firewall.
References: All in One third edition, page 164
Official ISC2 Guide page 187.
The correct answer is B. Mandatory access control.
Access control models are security mechanisms that define how access to resources is granted and controlled. There are several types of access control models, including:
A. Discretionary access control (DAC): This type of access control model allows the owner of a resource to control access to that resource. Access is granted based on the owner's discretion, meaning the owner can decide who can access the resource and what level of access they are allowed.
B. Mandatory access control (MAC): This type of access control model is based on sensitivity labels that are assigned to resources and subjects (users and processes). These sensitivity labels determine the level of access that subjects have to resources. The labels are assigned by a central authority, typically a security administrator, and cannot be changed by the subject.
C. Rule-based access control (RBAC): This type of access control model uses a set of rules to determine access to resources. These rules are based on factors such as the user's role, the time of day, and the type of device being used.
D. Role-based access control (RBAC): This type of access control model grants access based on the user's role within the organization. Users are assigned roles that determine what resources they can access and what actions they can perform.
In summary, the access control model that is based on sensitivity labels is mandatory access control (MAC).