Effective CISSP Questions

The Bell-LaPadula Model (BLP) model was first proposed and published in 1973, refined in 1974, interpreted in 1976, and retrospected in 2005 by authors David Elliott Bell et al. Which of the following statements about the model is incorrect? (Wentz QOTD)
A. The model considers clearance levels only but not need-to-know.
B. The model introduces five access attributes: read-only, append, execute, read/write, and control access.
C. The model formally defines the access matrix which remembers a list of access attributes associated with a subject-object pairing.
D. The model provides a clear definition of “security” being addressed.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The model considers clearance levels only but not need-to-know.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

“Our initial work focused on a definition of ‘security’ within a mathematical (conceptual) framework,” as mentioned in the paper, Back at the Bell–LaPadula Model (2005).

The first publication of the BLP model, Secure Computer Systems: Mathematical Foundations (1973), states the problem of security to be solved:


Let us consider a security compromise to be unauthorized access to information, where unauthorized means that an inappropriate clearance or a lack of need-to-know is involved in the access to the information. Then a central problem to be solved within the computing system is how to guarantee that unauthorized access (by a process) to information (file, program, data) does not occur.

Source: Secure Computer Systems: Mathematical Foundations (1973)

The First Publication of the BLP Model

Modified Requirements of The BLP Model
Modified Requirements of The BLP Model
Basic Security Theorem (revised)
Basic Security Theorem (revised)

Discretionary Access Control (DAC) and Need-to-know

In the paper, Secure Computer System: Unified Exposition and Multics Interpretation (1976), the authors mentioned that “there is one further aspect of security that we address: the problem is called discretionary security and it is also based on current military/governmental policy (known as ‘need-to-know’).”

Need-to-know is the “decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.”

Source: CNSSI 4009-2015

That said, the model aims to guarantee unauthorized access to information does not occur by enforcing appropriate clearance and need-to-know. According to Wikipedia, the model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties:

  1. The Simple Security Property states that a subject at a given security level may not read an object at a higher security level.
  2. The * (star) Security Property states that a subject at a given security level may not write to any object at a lower security level.
  3. The Discretionary Security Property uses an access matrix to specify the discretionary access control.

BLP and TCSEC (Orange Book)

The BLP model plays a vital role in the TCSEC (Orange Book), which explicitly relates need-to-know to discretionary controls:

Discretionary controls are not a replacement for mandatory controls. In an environment in which information is classified (as in the DoD) discretionary security provides for a finer granularity of control within the overall constraints of the mandatory policy. Access to classified information requires effective implementation of both types of controls as precondition to granting that access. In general, no person may have access to classified information unless:
(a) that person has been determined to be trustworthy, i.e., granted a personnel security clearance — MANDATORY, and
(b) access is necessary for the performance of official duties, i.e., determined to have a need-to-know — DISCRETIONARY. In other words, discretionary controls give individuals discretion to decide on which of the permissible accesses will actually be allowed to which users, consistent with overriding mandatory policy restrictions.

Source: TCSEC (Orange Book)

Need-to-know can be enforced by identity-based Discretionary Access Control (DAC) or lattice-based Mandatory Access Control (MAC) using non-hierarchical labels for compartments.

TCB Access Control
TCB Access Control


Bell-LaPadula 模型 (BLP) 模型於 1973 年首次提出及出版,1974 年進行完善,1976 年展示並解釋,2005 年由作者David Elliott Bell 等人進行回顧。 以下關於該模型的敍述哪個是不正確的? (Wentz QOTD)
A. 該模型僅考慮安全(clearance)級別,而不考慮需要知道(need-to-know)。
B. 該模型引入了只讀、追加、執行、讀/寫和控制訪問五個訪問屬性。
C. 該模型正式定義了訪問矩陣(access matrix),該矩陣記住了與該主客體配對相關聯的訪問屬性列表。
D. 該模型提供了明確的“安全”定義。

Leave a Reply