My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 41 - Question 1

What type of access control model uses labels to make access decisions?

A. Discretionary Access Control
B. Role-Based Access Control
C. Mandatory Access Control
D. Attribute-Based Access Control

Answer: C. Mandatory Access Control

Explanation:

A. Discretionary Access Control (DAC)

In a DAC model, the owner of the resource (the person who created the file or folder) has full control over who else can access it.  

  •  The Mechanism: Access is typically managed via Access Control Lists (ACLs).  

  • The Flexibility: It is the most flexible model, used by standard operating systems like Windows and Linux.  However, it is less secure because a user could accidentally (or maliciously) share a sensitive file with someone they shouldn't. 

B. Role-Based Access Control (RBAC)

RBAC assigns permissions to roles rather than individual users.  

  • The Mechanism: Users are placed into groups (e.g., "HR," "Managers," "Auditors").  When an employee changes jobs within the company, the administrator simply changes their role, and their permissions update automatically.  

     

  • The Benefit: This is the standard for most corporate environments because it simplifies management and supports the principle of Least Privilege.

C. Mandatory Access Control (MAC)

MAC is the most restrictive and secure model, famously used in military and high-security government environments.  

  •  The Mechanism: Every Subject (user) is assigned a Clearance Label (e.g., Top Secret, Secret, Confidential), and every Object (file) is assigned a Sensitivity Label.  

  • The Decision: Access is granted only if the subject's clearance level matches or exceeds the object's sensitivity label. Unlike DAC, the "owner" of a file cannot change its permissions; only a central authority (the Security Administrator) can.

  • Rule of Thumb: If you see the word "Labels" on the CISSP exam, the answer is almost certainly MAC.

D. Attribute-Based Access Control (ABAC)

ABAC is the most modern and complex model. It makes decisions based on "if/then" logic using Attributes.

  • The Mechanism: It looks at a combination of:

    • Subject attributes: (User's department, training records)

    • Object attributes: (File type, sensitivity)

    • Environmental attributes: (Time of day, current location, device being used)

  • Example: "Allow the Manager to view the Payroll file only if they are on the corporate network during business hours."

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel