What is called a type of access control where a central authority determines what subjects can
have access to certain objects, based on the organizational security policy?

A.
Mandatory Access Control

B.
Discretionary Access Control

C.
Non-discretionary Access Control

D.
Rule-based access control

Explanation:
Non-Discretionary Access Control. A central authority determines what subjects can
have access to certain objects based on organizational security policy. The access controls may
be based on the individual’s role in the organization (role-based) or the subject’s responsibilities
and duties (task-based).
Pg. 33 Krutz: The CISSP Prep Guide.