Which access model is most appropriate for companies with a high employee turnover?
Answer(s): A
The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those permissions are removed when they leave the company.Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population. RBAC simplifies the task of assigningpermissions because the permissions are assigned to roles which do not change based on who belongs to them. As employees join the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role. They will implicitely inherit the permissions of the role or roles they have been assigned to. When they leave the company or change jobs, their role assignment is revoked/changed appropriately.Mandatory access control is incorrect. While controlling access based on the clearence level of employees and the sensitivity of obects is a better choice than some of the other incorrect answers, it is not the best choice when RBAC is an option and you are looking for the best solution for a high number of employees constantly leaving or joining the company.Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used in formally modeling information flow (Bell-Lapadula, Biba, etc). In the context of the question, an abstract model of information flow is not an appropriate choice. CBK, pp. 324-325.Discretionary access control is incorrect. When an employee joins or leaves the company, the object owner must grant or revoke access for that employee on all the objects they own. Problems would also arise when the owner of an object leaves the company. The complexity of assuring that the permissions are added and removed correctly makes this the least desirable solution in this situation.
Alll in One, third edition page 165RBAC is discussed on pp. 189 through 191 of the ISC(2) guide.
What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?
Answer(s): B
"It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188A capability table is incorrect. "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192. The distinction that makes this an incorrect choice is that access is based on posession of a capability by the subject.To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL."An access control matrix is incorrect. The access control matrix is a way of describing the rules for an access control strategy. The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318.AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects.In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc.A role-based matrix is incorrect. Again, a matrix of roles vs objects could be used as a tool for thinking about the access control to be applied to a set of objects. The results of the analysis could then be implemented using RBAC.
CBK, Domain 2: Access Control.AIO3, Chapter 4: Access Control
What is the difference between Access Control Lists (ACLs) and Capability Tables?
Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object. It is a row within the matrix.To put it another way, A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.CLEMENT NOTE:If we wish to express this very simply:Capabilities are attached to a subject and it describe what access the subject has to each of the objects on the row that matches with the subject within the matrix. It is a row within the matrix. ACL's are attached to objects, it describe who has access to the object and what type of access they have. It is a column within the matrix.The following are incorrect answers:"Access control lists are subject-based whereas capability tables are object-based" is incorrect. "Capability tables are used for objects whereas access control lists are used for users" is incorrect."They are basically the same" is incorrect.References used for this question:CBK, pp. 191 - 192AIO3 p. 169
What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?
Answer(s): C
The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318.AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects.In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc."A capacity table" is incorrect.This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you."An access control list" is incorrect."It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 Access control lists (ACL) could be used to implement the rules identified by an access control matrix but is different from the matrix itself."A capability table" is incorrect."Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL."Again, a capability table could be used to implement the rules identified by an access control matrix but is different from the matrix itself.
CBK pp. 191-192, 317-318AIO3, p. 169
Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?
MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users -- for example, user Joe (SECRET clearance) cannot reclassify the "Presidential Doughnut Recipe" from "SECRET" to "CONFIDENTIAL" so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object.Access control matrix is incorrect. The access control matrix is a way of thinking about the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc.TACACS is incorrect. TACACS is a tool for performing user authentication.
CBK, p. 187, Domain 2: Access Control.AIO3, Chapter 4, Access Control.
Share your comments for ISC SSCP exam with other users:
is this dump still valid???
question 205 answer is b
question 39, should be answer b, directions stated is being sudneted from /21 to a /23. a /23 has 512 ips so 510 hosts. and can make 4 subnets out of the /21
beautiful test engine software and very helpful. questions are same as in the real exam. i passed my paper.
the questions are exactly the same in real exam. just make sure not to answer all them correct or else they suspect you are cheating.
question: 78 the right answer i think is d not a
very helpful
i am writing this exam tomorrow and have dumps
can i have the icdl excel exam
please upload it
hye when will post again the past year question for this h13-311_v3 part since i have to for my test tommorow…thank you very much
on question 22, option b-once per session is also valid.
this website is very helpful
its my first time exam
correct answers are device configuration-enable the automatic installation of webview2 runtime. & policy management- prevent users from submitting feedback.
is this dump still valid? today is 9-july-2023
i need this exam.. please upload these are really helpful
please upload the oracle 1z0-1059-22 dumps
very good questions
nice, first step to exams
is this valid for chfiv9 as well... as i am reker 3rd time...
great exam for people taking 220-1101
this is very helpfull for me
just started preparing for the exam
these are the type of questions i need.
does this actually work? are they the exam questions and answers word for word?
thanks for providing these questions
interesting
these dumps are pretty good.
good questions
dbua is used for upgrading oracle database
i am thrilled to say that i passed my amazon web services mls-c01 exam, thanks to study materials. they were comprehensive and well-structured, making my preparation efficient.
please upload latest ibm ace c1000-056 dumps
if only explanations were provided...