Effective CISSP Questions

Jack is a new employee. As the account administrator, you are provisioning a new user account and its privileges for Jack based on a template user account. Which of the following is least related to the provisioning process?
A. Service Provisioning Markup Language (SPML)
B. Take-Grant Model
C. Access Control Matrix
D. Security labeling

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security labeling.


The account provisioning process implies a context of DAC (discretionary access control). The provisioning process includes 1) creating a user account and 2) conducting entitlement. These activities relate directly to the following:

  • The user account and its privileges can be provisioned across systems through SPML.
  • Authorization/entitlement data, in theory, can be stored in a logical data structure, the Access Control Matrix.
  • Take-Grant Model is a theory of authorization that may be implemented to support operations against the Access Control Matrix.

A MAC (Mandatory Access Control) environment relies on comparing the subject’s clearance and object’s label. Both of them (clearance and label) may be referred to as security “label” broadly.

The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. (NIST SP 800-53 R4)

However, it’s more specific and generally accepted to relate a label to an object, and a clearance to a subject.

Security labeling is least related to the provisioning process, because of the following reasons:

  • MAC and security labeling relies heavily on the national security “classification” scheme; it is uncommon in the private sector. No classification mentioned in the question.
  • The provisioning process may involve configuring Jack’s clearance, however, it doesn’t include setting objects’ labels. Most people think labels are related to objects; it’s more specific and generally accepted. CISSP is an experience-based exam BTW. I guess you may not accept this justification:)
  • Security labeling “can” be related to the provisioning process, but it’s the least among the four options.










1 thought on “CISSP PRACTICE QUESTIONS – 20200311

Leave a Reply