Which of the following least contributes to access control on the need-to-know basis? (Source: Wentz QOTD)
A. An object with non-hierarchical label
B. A subject’s capability table
C. A subject’s security clearance
D. A compartmented object
Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A subject’s security clearance.
A subject’s security clearance is used in the mandatory access control (MAD) to enforce access to objects dominated by the subject’s sensibility level, but it is not the primary instrument to enforce need-to-know.
An object can be classified based on hierarchical and non-hierarchical labels. Well-known hierarchical labels are Top Secret, Secret, and Confidential. Non-hierarchical labels can be created on demands to categorize or compartmentalize objects and enforce need-to-know. “Apollo” depicted in the above diagram is a non-hierarchical label used to create a compartment or category and enforce need-to-know.
Need-to-know can be implemented in discretionary access control (DAC) by a access matrix composed of access control list (ACL) and capability table conceptually as depicted in the slide, TCB Access Control.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.