Which of the following is least related to the discretionary access model (DAC)? (Wentz QOTD)
A. Need-to-know
B. Take-grant protection model
C. An object’s access control list
D. A subject’s security clearance
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. A subject’s security clearance.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
In the discretionary access model (DAC), the data owner is accountable for protecting delegated data, classifying them, and making the authorization decision based on the need-to-know and least privilege principles.
The data custodian is in charge of implementing the authorization decision made by the data owner. A trusted computer system persists the authorization in a data structure called Access Control Matrix (ACM). The Take-Grant protection model is one of the theories to manipulate the ACM.
The security kernel in a trusted computer system enforces access control (authentication, authorization, and accounting). A trusted computer system compliant with the TCSEC C division criteria supports DAC, while one compliant with the B division supports MAC. A DAC system is identity-based and relies on the ACM. It won’t reference the subject’s security clearance or the object’s label.
Reference
以下哪一項與自主訪問模型 (DAC) 的相關性最小? (Wentz QOTD)
A. 知其所需 (need-to-know)
B. 授予保護模式 (take-grant protection model)
C. 客體的訪問控制列表
D. 主體的安全許可 (security clearance)