Your organization’s top management requires data classified at a higher security level shall not flow to a subject with a lower level clearance, and classified data shall not be sent to anyone who doesn’t need to know in terms of their duty. Which of the following should be considered first to meet the policy requirements? (Wentz QOTD)
A. A management system aligned with the policy
B. A system based on state machine and information flow
C. An information system that supports the access control matrix
D. A lattice-based model that enforces mandatory access control

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. A management system aligned with the policy.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

The top management is demanding enforcement of information security and expressing their protection requirements through policies. Effective information security involves comprehensive considerations such as people, processes, and technologies (PPT). Information systems processing digital data are just fundamental elements of information security.

It may be necessary that an information system supports Discretional Access Control (DAC) based on an access control matrix and Mandatory Access Control (MAC) based on formal models such as lattice, state machine, and information flow. However, a technical solution like that is not sufficient or ineffective.

A management system is a “set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.” (ISO 22886:2020) Related policies, standards, procedures, or guidelines are developed and aligned with the top management’s policy in question. A management system provides a holistic view, integrates people, processes, and technologies (PPT), and provides a framework for the implementation of information security.

Reference

---

貴組織的最高管理層(top management)要求保密級別較高的資料不得流向較低安全級別的主體(subject)，且不得將保密資料發送給在職務上不需要知道(need-to-know)這些資料的任何人。 為了滿足該政策要求，以下哪項應首先考慮？ (Wentz QOTD)
A. 符合政策的管理制度
B. 基於狀態機和資息流的系統
C. 支持訪問控制矩陣(access control matrix)的資訊系統
D. 實施強制型訪問控制(MAC)的基於晶格(lattice-based)的模型