[Cisspstudy] Access Control

[TEC]

Based on the comments for question 978 one would believe that "rule-based access control is an example of mandatory access control" and that it would be the correct answer for question 398. However the answer for 398 is "Rule-based access control is a type of non-discretionary access control" .

Clement tries to clarify in the comments for 398 by noting "Mandatory Access Control must make use of LABELS as well.  If there is only rules and no label, it cannot be Mandatory Access Control" however in question 978 there is no mention ob labels either but the correct answer is MAC.

I need some clarification as to whether I am missing something.

Thanks



Question: 978 | Difficulty: 4/5 | Relevancy: 3/3 

Which of the following is an example of discretionary access control?
  a.. >Identity-based access control 
  b..  Task-based access control 
  c..  Role-based access control 
  d..  Rule-based access control
Sorry - you had a wrong answer. Please review details below.

      Details Submit a comment on this question 

An identity-based access control is an example of discretionary access control that is based on an individual's identity. Task-based and role-based access controls are examples of non-discretionary access controls and a rule-based access control is an example of mandatory access control.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).


Question: 398 | Difficulty: 4/5 | Relevancy: 3/3 

The rule-based access control where access is determined by rules is a type of:
  a..  Discretionary Access Control 
  b..  Mandatory Access control 
  c.. >Non-Discretionary Access Control 
  d..  Lattice-based Access control
Sorry - you had a wrong answer. Please review details below.

      Details Submit a comment on this question 

Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects. 


Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

Comment: 
NOTE FROM CLEMENT:

Lot of people tend to confuse MAC and Rule Based Access Control.

Mandatory Access Control must make use of LABELS as well.  If there is only rules and no label, it cannot be Mandatory Access Control.  This is whey they use they call it Non Discretionary Access control.  In MAC subjects must have clearance to access sensitive objects.  Objects have labels that contain the classification to indicate the sensitivity of the object and the label also has categories to enforce the need to know.

Today the best example of rule based access control would be a firewall.   All rules are imposed globally to any user attempting to connect through the device.  This is NOT the case with MAC.
  

Contributor: Rakesh Sud
Study area: CISSP CBK - Access Control
Covered topic: Rule-based access control 
This question © Copyright 2003-2009 Rakesh Sud, cccure.org. All rights reserved. No unauthorized use or duplication without explicit written permission of author and of cccure.org.





Sarchasm -: The gulf between the author of sarcastic wit and the person who doesn't get it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090829/91600092/attachment.html>