Which integrity model defines a constrained data item, an integrity verification procedure and a
transformation procedure?

A.
The Take-Grant model

B.
The Biba integrity model

C.
The Clark Wilson integrity model

D.
The Bell-LaPadula integrity model

Explanation:
The Clark-Wilson model was developed to address security issues in commercial
environments. The model uses two categories of mechanisms to realize integrity: well-formed
transactions and separation of duty. It defines a constraint data item, a integrity verification and a
transformation of that object. A possible way to represent a constraint that only certain trusted
programs can modify objects is using application:checksum condition, where the checksum
ensures authenticity of the application. Another way is using application:endorser condition, which
indicates that a valid certificate, stating that the application has been endorsed by the specified
endorser, must be presented. Static separation of duty is enforced by the security administrator
when assigning group membership. Dynamic separation of duty enforces control over how
permissions are used at the access time