Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure.
Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role.
An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object.
With discretionary access control, administration is decentralized and owners of resources control other users' access.
Non-mandatory access control is not a defined access control technique.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 9).
The access control technique that best gives security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure is Role-based access control (RBAC).
RBAC is a model that assigns permissions based on the roles that users have within an organization. Each user is assigned one or more roles, and each role has a set of permissions associated with it. Users are granted access to resources based on their role, rather than their identity.
RBAC maps naturally to an organization's structure because it is based on the roles that exist within the organization. For example, a large organization might have multiple departments, each with its own set of roles and permissions. RBAC allows security officers to define these roles and permissions in a way that aligns with the organization's structure.
Access control lists (ACLs) and discretionary access control (DAC) are other access control techniques that can be used to control access to resources. ACLs are a simple mechanism that allows or denies access to resources based on a list of users or groups. DAC is a model where the owner of a resource has complete control over who can access that resource.
Non-mandatory access control (MAC) is a model that is typically used in highly secure environments, such as military or government organizations. In MAC, the system determines the access level of a user based on a set of rules defined by the organization, rather than the user's role or identity.
Overall, RBAC is the best choice for organizations that want to enforce enterprise-specific security policies in a way that maps naturally to their structure. It allows security officers to define roles and permissions based on an organization's structure, making it easy to manage access to resources.