Which of the following was the FIRST mathematical model of a multilevel security policy used to define the
concepts of a security state and mode of access, and to outline rules of access?

A.
Biba

B.
Bell-LaPadula

C.
Clark-Wilson

D.
State machine

Explanation:
In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security ofthese systems and leakage of classified information. The Bell-LaPadula model was developed to address these
concerns. It was the first mathematical model of a multilevel security policy used to define the concept of a
secure state machine and modes of access, and outlined rules of access. Its development was funded by the
U.S. government to provide a framework for computer systems that would be used to store and process
sensitive information. The model’s main goal was to prevent secret information from being accessed in an
unauthorized manner.
A system that employs the Bell-LaPadula model is called a multilevel security system because users with
different clearances use the system, and the system processes data at different classification levels.
Incorrect Answers:
A: The Biba Model is an integrity model. This is not what is described in the question.
C: The Clark-Wilson Model is an integrity model. This is not what is described in the question.
D: State machine is not a specific model; it is a type of model. For example, the Bell-LaPadula model is a state
machine model.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 369