Which integrity model defines a constrained data item, an integrity verification procedure and a transformation
procedure?

A.
The Take-Grant model

B.
The Biba integrity model

C.
The Clark Wilson integrity model

D.
The Bell-LaPadula integrity model

Explanation:
When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly
protected, which is referred to as a constrained data item (CDI), and another subset that does not require a
high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data
(CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software
procedures (Transformation Procedures) will carry out the operations on behalf of the user. For example, when
Kathy needs to update information held within her company’s database, she will not be allowed to do so without
a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a
front end for the database, and then the program will control what Kathy can and cannot do to the information in
the database.
Incorrect Answers:
A: The take-grant protection model is used to establish or disprove the safety of a given computer system that
follows specific rules. This is not what is described in the question.
B: The Biba Model is a formal state transition system of computer security policy that describes a set of access
control rules designed to ensure data integrity. However, it does not define a constrained data item and a
transformation procedure.
C: The Bell-LaPadula model does not deal with integrity.References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 374