(ISC)2 Certified in Cybersecurity Practice Exam

What is the best description of mandatory access control?

• A. A system that allows users to control access to resources
• B. A system where access rights are assigned based on a predefined policy
• C. A flexible system determined by user roles
• D. A policy that gives full control to the owner

The correct answer is: A system where access rights are assigned based on a predefined policy

Mandatory access control (MAC) is best described as a system where access rights are assigned based on a predefined policy. In MAC, access to resources is regulated by a central authority according to system-enforced policies, rather than being granted by individual resource owners. This approach typically uses labels or classifications (such as security clearances) to govern access to resources, ensuring that users cannot grant access rights to others outside of the predefined policy framework. This centralized enforcement enhances security and reduces the risk of unauthorized data disclosure or manipulation, as users do not have the discretion to determine who can access the resources they manage. Such a structure is commonly used in environments with stringent security requirements, where data classification is crucial, such as in military or governmental organizations. The other options highlight characteristics that do not align with the MAC model. For instance, user-controlled access suggests a discretionary model, where individual users can decide who can access their resources, which is contrary to the principles of mandatory access control. The idea of flexibility dependent on user roles points towards role-based access control (RBAC), where permissions can vary significantly based on the user's role, again differing from the rigid structure of MAC. Lastly, a policy that grants full control to the owner suggests a discretionary framework, allowing resource