Security Access Model for Companies with High Employee Turnover

Access Model for High Employee Turnover

Prev Question Next Question

Question

Which access model is most appropriate for companies with a high employee turnover?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those permissions are removed when they leave the company.

Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population.

RBAC simplifies the task of assigning permissions because the permissions are assigned to roles which do not change based on who belongs to them.

As employees join the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role.

They will implicitely inherit the permissions of the role or roles they have been assigned to.When they leave the company or change jobs, their role assignment is revoked/changed appropriately.

Mandatory access control is incorrect.

While controlling access based on the clearence level of employees and the sensitivity of obects is a better choice than some of the other incorrect answers, it is not the best choice when RBAC is an option and you are looking for the best solution for a high number of employees constantly leaving or joining the company.

Lattice-based access control is incorrect.

The lattice is really a mathematical concept that is used in formally modeling information flow (Bell-Lapadula, Biba, etc)

In the context of the question, an abstract model of information flow is not an appropriate choice.

CBK, pp.

324-325

Discretionary access control is incorrect.

When an employee joins or leaves the company, the object owner must grant or revoke access for that employee on all the objects they own.

Problems would also arise when the owner of an object leaves the company.

The complexity of assuring that the permissions are added and removed correctly makes this the least desirable solution in this situation.

References - Alll in One, third edition page 165 RBAC is discussed on pp.

189 through 191 of the ISC(2) guide.

The most appropriate access model for companies with a high employee turnover is Discretionary Access Control (DAC).

Discretionary Access Control (DAC) is a type of access control in which the owner of a resource determines who is authorized to access it and what actions they are allowed to perform on it. This model is widely used in environments where users have different levels of access and where access control decisions are made by the resource owner.

In a company with a high employee turnover, the ability to quickly and easily grant or revoke access to resources is critical. With DAC, resource owners can quickly and easily grant or revoke access to resources without the need for complex administrative processes or policies.

Role-based access control (RBAC), on the other hand, is a type of access control that assigns permissions to roles, rather than individuals. In an RBAC environment, employees are assigned roles based on their job functions, and these roles are granted the permissions necessary to perform their duties. While RBAC can be effective in managing access control, it can be difficult to manage in an environment with a high employee turnover, as roles may need to be constantly updated or revised to reflect changes in the organization.

Mandatory access control (MAC) is a type of access control in which access to resources is determined by a central authority, such as a security administrator. In a MAC environment, access control decisions are made based on the sensitivity of the resource being protected, rather than the identity of the user. While MAC can be effective in high-security environments, it is often too restrictive for most organizations.

Lattice-based access control (LBAC) is a type of access control that is based on the concept of a security lattice. In an LBAC environment, users are assigned security levels based on their clearance level and the sensitivity of the resources they need to access. While LBAC can be effective in high-security environments, it can be difficult to manage in organizations with a high employee turnover, as security clearances may need to be constantly updated or revised to reflect changes in the organization.

In conclusion, Discretionary Access Control (DAC) is the most appropriate access model for companies with a high employee turnover, as it allows for quick and easy granting or revoking of access to resources, without the need for complex administrative processes or policies.