PrepAway - Latest Free Exam Questions & Answers

Which of the following access control techniques BEST g…

Which of the following access control techniques BEST gives the security officers the ability to specify and
enforce enterprise-specific security policies in a way that maps naturally to an organization’s structure?

PrepAway - Latest Free Exam Questions & Answers

A.
Access control lists

B.
Discretionary access control

C.
Role-based access control

D.
Non-mandatory access control

Explanation:
Role-based access control (RBAC) is a model where access to resources is determines by job role rather than
by user account.
Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the
organizational structures and functional delineations required in a specific environment. This is very useful
since businesses are already set up in a personnel hierarchical structure. In most cases, the higher you are inthe chain of command, the more access you will most likely have.
Role relation defines user membership and privilege inheritance. For example, the nurse role can access a
certain amount of files, and the lab technician role can access another set of files. The doctor role inherits the
permissions and access rights of these two roles and has more elevated rights already assigned to the doctor
role. So hierarchical is an accumulation of rights and permissions of other roles.
Reflects organizational structures and functional delineations.
Incorrect Answers:
A: Access control lists form the basis of access control; they determine who can access what. However,
“access control lists” on its own is not a model that maps to the organizational structures and functional
delineations required in a specific environment.
B: Discretionary access control is a model where the subjects must have the discretion to specify what
resources certain users are permitted to access. This is not a model that maps to the organizational structures
and functional delineations required in a specific environment.
D: Non-mandatory access control is not a defined access control model. It would imply any access model that
is not mandatory access control.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 224-226


Leave a Reply