Systems Security Certified Practitioner – SSCP – Question0121

Which of the following access control models is based on sensitivity labels?

A.
Discretionary access control
B. Mandatory access control
C. Rule-based access control
D. Role-based access control

Correct Answer: B

Explanation:

Access decisions are made based on the clearance of the subject and the sensitivity label of the object.
Example: Eve has a “Secret” security clearance and is able to access the “Mugwump Missile Design Profile” because its sensitivity label is “Secret.” She is denied access to the “Presidential Toilet Tissue Formula” because its sensitivity label is “Top Secret.”
The other answers are not correct because:
Discretionary Access Control is incorrect because in DAC access to data is determined by the data owner. For example, Joe owns the “Secret Chili Recipe” and grants read access to Charles.
Role Based Access Control is incorrect because in RBAC access decsions are made based on the role held by the user. For example, Jane has the role “Auditor” and that role includes read permission on the “System Audit Log.”
Rule Based Access Control is incorrect because it is a form of MAC. A good example would be a Firewall where rules are defined and apply to anyone connecting through the firewall.
References:
All in One third edition, page 164. Official ISC2 Guide page 187.