Your company sells toys online worldwide. The sales manager, as a data owner, is granting privileges of access to the customer profiles to Alice. Which of the following is the best security model that supports access control and enforces confidentiality?
A. Graham-Denning Model
B. Clark-Wilson Model
C. Biba Model
D. Bell-LaPadula model
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Graham-Denning Model.
It is a Discretionary Access Control (DAC) model that “the sales manager, as a data owner, is granting privileges of access to the customer profiles to Alice.” The authorization can be implemented by the data custodian. The authorization operations and authorization data need to be implemented based on one or more security models. The Graham-Denning Model can manipulate the access control matrix and enforce confidentiality through authorization.
Clark-Wilson Model and Biba Model are used to enforce integrity. Bell-LaPadula model enforces confidentiality, but it is the underlying model of Mandatory Access Control (MAC).
This model addresses the security issues associated with how to define a set of basic rights on how specific subjects can execute security functions on an object. The model has eight basic protection rules (actions) that outline:
- How to securely create an object.
- How to securely create a subject.
- How to securely delete an object.
- How to securely delete a subject.
- How to securely provide the read access right.
- How to securely provide the grant access right.
- How to securely provide the delete access right.
- How to securely provide the transfer access right.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.