Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?

A. Mandatory Access Control

B. Discretionary Access Control

C. Non-Discretionary Access Control

D. Rule-based Access control








 

Suggested Answer: C



Non Discretionary Access Control  include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC).   RABC being a subset of
NDAC, it was easy to eliminate RBAC as it was covered under NDAC already.
Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category.
Discretionary Access control is for environment with very low level of security.  There is no control on the dissemination of the information.  A user who has access to a file can copy the file or further share it with other users.
Rule Based Access Control is when you have ONE set of rules applied uniformly to all users.  A good example would be a firewall at the edge of your network.  A single rule based is applied against any packets received from the internet.
Mandatory Access Control is a very rigid type of access control.  The subject must dominate the object and the subject must have a Need To Know to access the information.  Objects have labels that indicate the sensitivity (classification) and there is also categories to enforce the Need To Know (NTK).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

This question is in SSCP Systems Security Certified Practitioner Exam
For getting Systems Security Certified Practitioner (SSCP) Certificate






Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by ISC. 
Trademarks, certification & product names are used for reference only and belong to ISC.
The website does not contain actual questions and answers from ISC's Certification Exams.