Effective CISSP Questions

Which of the following is the most critical element of mandatory access control? (Wentz QOTD)
A. Acceptable use policy (AUP)
B. Competencies
C. Background check
D. Bell-LaPadula (BLP) model

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Background check.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Security Kernel
Security Kernel


Mandatory access control (MAC) is a policy that mediates a subject’s access to objects to enforce security, typically by classifying subjects and objects into security levels (e.g., Executive Order 12356) and labeling them instead of relying on the owner’s discretion. e.g., discretionary access control (DAC).

Background Check and Security Clearance

Users who may process classified data will be given a certain level of security clearance after the background check. A user becomes a subject in a trusted computer system and gets labeled inside the computer system to reflect its security clearance.

Bell-Lapadula and Biba models

A subject’s access to objects is mediated by the security kernel by comparing their labels based on various sets of rules to control information flow, such as the Bell-Lapadula model or the Biba model. Comparing labels per the BLP or Biba model can be fulfilled by lattice. Most of the MAC models are lattice-based.

Mandatory Access Control (MAC)

An access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. A subject that has been granted access to information is constrained from doing any of the following:
(i) passing the information to unauthorized subjects or objects;
(ii) granting its privileges to other subjects;
(iii) changing one or more security attributes on subjects, objects, the information system, or system components;
(iv) choosing the security attributes to be associated with newly-created or modified objects; or
(v) changing the rules governing access control.

Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints.

Source: NIST Glossary

Acceptable Use Policy (AUP)

An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service. That restricts the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.

Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear. While at the same time covering the most important points about what users are, and are not allowed to do with the IT systems of an organization, it should refer users to the more comprehensive security policy we’re relevant. It should also, and very notably define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should as usual, be measured by regular audits.

In some cases a fair usage policy applied to a service allowing nominally unlimited use for a fixed fee simply sets a cap on what may be used. Intended to allow normal usage but, prevent what is considered excessive. For example, users of an “unlimited” broadband Internet service may be subject to suspension, termination, or bandwidth limiting for usage which is continually excessive, unfair, affects other users enjoyment of the broadband service. Also it is not consistent with the usage typically expected on a particular access package”. The policy is enforced directly, without legal proceedings.

Source: Wikipedia


以下哪一項是強制訪問控制的最關鍵要素? (Wentz QOTD)
A. 可接受使用政策 (AUP)
B. 勝任職務的能力 (Competencies)
C. 背景調查
D. Bell-LaPadula (BLP) 模型

Leave a Reply