Which security model ensures that actions that take place at a higher security level do not affect actions that
take place at a lower level?

A.
The Bell-LaPadula model

B.
The information flow model

C.
The noninterference model

D.
The Clark-Wilson model

Explanation:
Multilevel security properties can be expressed in many ways, one being noninterference. This concept is
implemented to ensure any actions that take place at a higher security level do not affect, or interfere with,
actions that take place at a lower level. This type of model does not concern itself with the flow of data, but
rather with what a subject knows about the state of the system. So if an entity at a higher security level
performs an action, it cannot change the state for the entity at the lower level.
If a lower-level entity was aware of a certain activity that took place by an entity at a higher level and the state of
the system changed for this lower-level entity, the entity might be able to deduce too much information about
the activities of the higher state, which in turn is a way of leaking information. Users at a lower security level
should not be aware of the commands executed by users at a higher level and should not be affected by those
commands in any way.
Incorrect Answers:
A: The Bell–LaPadula model is a state machine model used for enforcing access control in government and
military applications. This is not what is described in the question.
B: The information flow model forms the basis of other models such as Bell–LaPadula or Biba. This is not what
is described in the question.
D: The Clark-Wilson model prevents unauthorized users from making modifications, prevents authorized users
from making improper modifications, and maintains internal and external consistency through auditing. This is
not what is described in the question.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 380