Page 1546 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1546
Chapter 14: Controlling and Monitoring
Access
1. B. The implicit deny principle ensures that access to an object is
denied unless access has been expressly allowed (or explicitly
granted) to a subject. It does not allow all actions that are not
denied, and it doesn’t require all actions to be denied.
2. C. The principle of least privilege ensures that users (subjects) are
granted only the most restrictive rights they need to perform their
work tasks and job functions. Users don’t execute system
processes. The least privilege principle does not enforce the least
restrictive rights but rather the most restrictive rights.
3. B. An access control matrix includes multiple objects, and it lists
subjects’ access to each of the objects. A single list of subjects for
any specific object within an access control matrix is an access
control list. A federation refers to a group of companies that share
a federated identity management system for single sign-on.
Creeping privileges refers to the excessive privileges a subject
gathers over time.
4. D. The data custodian (or owner) grants permissions to users in a
Discretionary Access Control (DAC) model. Administrators grant
permissions for resources they own, but not for all resources in a
DAC model. A rule-based access control model uses an access
control list. The Mandatory Access Control (MAC) model uses
labels.
5. A. A Discretionary Access Control (DAC) model is an identity-
based access control model. It allows the owner (or data custodian)
of a resource to grant permissions at the discretion of the owner.
The Role Based Access Control (RBAC) model is based on role or
group membership. The rule-based access control model is based
on rules within an ACL. The Mandatory Access Control (MAC)
model uses assigned labels to identify access.
