What is called a type of access control where a central authority determines what subjects can have
access to certain objects, based on the organizational security policy?

A.
Mandatory Access Control

B.
Discretionary Access Control

C.
Non-discretionary Access Control

D.
Rule-based access control

Explanation:
Non-Discretionary Access Control. A central authority determines what subjects can have access to
certain objects based on organizational security policy. The access controls may be based on the
individual’s role in the organization (role-based) or the subject’s responsibilities and duties (taskbased).
Pg. 33 Krutz: The CISSP Prep Guide.