Access control: Models and methods in the CISSP exam [updated 2022] - Infosec Resources (2022)

This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.

There are times when people need access to information, such as documents or slides on a network drive, but don’t have the appropriate level of access to read or modify the item. This can happen at the most inconvenient time, and they would need to get a hold of a system administrator to grant them the appropriate level of privileges. Of course, they end up asking why they can’t just have overall access to the information in a folder so they can sort through the items and find what they need.

The answer could be along the lines of, “Sorry, but you need to submit a ticket to the help desk with the appropriate information filled out which will go through a vetting process before we can grant you the appropriate access.” This leads to more frustration with the individual potentially saying something like, “Is there a faster way to do this? I just need access to one folder, that’s it.” So now what?

As painful as it may seem (and inconvenient at times), there are reasons why access control comes into play for a scenario like this.

Access control and the CISSP certification

Access control is a core concept in cybersecurity, so naturally, it’s covered on the CISSP certification exam.CISSP domain 5 covers identity and access management, and objective 5.4 within that domain is “Implement and manage authorization mechanisms.” There are six main types of access control models all CISSP holders should understand:

  1. Mandatory Access Control (MAC)
  2. Discretionary Access Control (DAC)
  3. Role-Based Access Control (RBAC)
  4. Rule-Based Access Control
  5. Attribute-Based Access Control (ABAC)
  6. Risk-Based Access Control

In this article, we’ll define access control, explore the six access control models, describe the methods of logical access control and explain the different types of physical access control.

Access control and access control model

Access control is identifying a person doing a specific job, authenticating them by looking at their identification, then giving that person only the key to the door or computer that they need access to and nothing more. In the world of information security, one would look at this as granting an individual permission to get onto a network via a username and password, allowing them access to files, computers or other hardware or software the person requires and ensuring they have the right level of permission (i.e., read-only) to do their job. So, how does one grant the right level of permission to an individual so that they can perform their duties? This is where access control models come into the picture.

(Video) CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!

As noted above, the CISSP exam calls out six flavors of access control.

1. Mandatory Access Control (MAC)

The Mandatory Access Control (MAC) model gives only the owner and custodian management of the access controls. This means the end-user has no control over any settings that provide any privileges to anyone. There are two security models associated with MAC: Biba and Bell-LaPadula. The Biba model is focused on the integrity of information, whereas the Bell-LaPadula model is focused on the confidentiality of information. Biba is a setup where a user with lower clearance can read higher-level information (called “read up”) and a user with high-level clearance can write for lower levels of clearance (called “write down”). The Biba model is typically utilized in businesses where employees at lower levels can read higher-level information and executives can write to inform the lower-level employees.

Bell-LaPadula, on the other hand, is a setup where a user at a higher level (e.g., Top Secret) can only write at that level and no lower (called “write up”), but can also read at lower levels (called “read down”). Bell-LaPadula was developed for governmental and/or military purposes where if one does not have the correct clearance level and does not need to know certain information, they have no business with the information. At one time, MAC was associated with a numbering system that would assign a level number to files and level numbers to employees. This system made it so that if a file (i.e. myfile.ppt) had is level 400, another file (i.e. yourfile.docx) is level 600 and the employee had a level of 500, the employee would not be able to access “yourfile.docx” due to the higher level (600) associated with the file. MAC is the highest access control there is and is utilized in military and/or government settings utilizing the classifications of Classified, Secret and Unclassified in place of the numbering system previously mentioned.

2. Discretionary Access Control (DAC)

The Discretionary Access Control (DAC) model is the least restrictive model compared to the most restrictive MAC model. DAC allows an individual complete control over any objects they own along with the programs associated with those objects. This gives DAC two major weaknesses. First, it gives the end-user complete control to set security level settings for other users which could result in users having higher privileges than they’re supposed to. Secondly, and worse, the permissions that the end-user has are inherited into other programs they execute.

This means the end-user can execute malware without knowing it and the malware could take advantage of the potentially high-level privileges the end-user possesses.

3. Role-Based Access Control (RBAC)

The Role-Based Access Control (RBAC) model provides access control based on the position an individual fills in an organization. So, instead of assigning John permissions as a security manager, the position of security manager already has permissions assigned to it. In essence, John would just need access to the security manager profile. RBAC makes life easier for the system administrator of the organization.

The big issue with this access control model is that if John requires access to other files, there has to be another way to do it since the roles are only associated with the position; otherwise, security managers from other organizations could get access to files they are unauthorized for.

(Video) (ISC)² CISSP Certification Exam Update 2022

4. Rule-Based Access Control

The Rule-Based Access Control, also with the acronym RBAC or RB-RBAC. Rule-Based Access Control will dynamically assign roles to users based on criteria defined by the custodian or system administrator. For example, if someone is only allowed access to files during certain hours of the day, Rule-Based Access Control would be the tool of choice.

The additional “rules” of Rule-Based Access Control requiring implementation may need to be “programmed” into the network by the custodian or system administrator in the form of code versus “checking the box.”

5. Attribute-Based Access Control (ABAC)

The Attribute-Based Access Control (ABAC) model is often described as a more granular form of Role-Based Access Control since there are multiple that are required in order to gain access. These attributes are associated with the subject, the object, the action and the environment. For example, a sales rep (subject) may try to access a client’s record (object) in order to update the information (action) from his office during work hours (environment).

This approach allows more fine-tuning of access controls compared to a role-based approach. For example, we could deny access based on the environment (e.g., time of day) or action (e.g., deleting records). The downside is that can be more difficult to get these controls up and running.

6. Risk-Based Access Control

Risk-Based Access Control is a dynamic access control model that determines access based on the level of evaluated risk involved in the transaction. One commonly-used example is identifying the risk profile of the user logging in. If the device being logged in from is not recognized, that could elevate the risk to prompt additional authentication. If an action deemed high-risk occurs, such as attempting to update banking information, that could trigger more risk-based prompts.

One recent study found risk-based controls to be less annoying to users than some other forms of authentication. For example, two-factor authentication was “significantly more cumbersome to use and significantly more unnecessarily complex compared to [the tested risk-based authentication] conditions.”

Now let’s explore how these controls are logically implemented.

(Video) CISSP Domain 1 Security and Risk Management

Logical access control methods

Logical access control is done via access control lists (ACLs), group policies, passwords and account restrictions.

Access Control Lists (ACLs) are permissions attached to an object such as a spreadsheet file, that a system will check to allow or deny control to that object. These permissions range from full control to read-only to “access denied.” When it comes to the various operating systems (i.e., Windows, Linux, Mac OS X), the entries in the ACLs are named “access control entry,” or ACE, and are configured via four pieces of information: a security identifier (SID), an access mask, a flag for operations that can be performed on the object and another set of flags to determine inherited permissions of the object. So, as one can see, ACLs provide detailed access control for objects. However, they can become cumbersome when changes occur frequently and one needs to manage many objects.

Group policies are part of the Windows environment and allow for centralized management of access control to a network of computers utilizing the directory services of Microsoft called Active Directory. This eliminates the need to go to each computer and configure access control. These settings are stored in Group Policy Objects (GPOs) which make it convenient for the system administrator to be able to configure settings. Although convenient, a determined hacker can get around these group policies and make life miserable for the system administrator or custodian.

Passwords are “the most common logical access control … sometimes referred to as a logical token” (Ciampa, 2009). However, that being said, they need to be tough to hack to provide an essential level of access control. If one makes the password easy to guess or uses a word in the dictionary, they can be subject to brute force attacks, dictionary attacks or other attacks using rainbow tables. Keeping this in mind, experts agree that the longer the password is, the harder it is to crack, provided the user remembers it and uses many different characters and non-keyboard type characters in creating it. Utilizing this concept also makes it more difficult for a hacker to crack the password with the use of rainbow tables. Having a two-factor authentication (such as a smart card with a password) can make things more secure, especially with technology advancing to the point where cracking passwords can take only seconds.

Ensuring patches are accomplished regularly, deleting or disabling unnecessary accounts, making the BIOS password-protected, ensuring the computer only boots from the hard drive and keeping your door locked with your computer behind it will help keep passwords protected.

Of course, not writing down the password will help, too.

Account restrictions are the last logical access control method in the list. Ciampa points out, “The two most common account restrictions are time of day restrictions and account expiration” (Ciampa, 2009). Time of day restrictions can ensure that a user has access to certain records only during certain hours. This would make it so that administrators could update records at night without interference from other users. Account expirations are needed to ensure unused accounts are no longer available so hackers cannot possibly utilize them for any “dirty work.”

(Video) Is the CISSP still worth it in 2022 | Study tips, Training used, Cyber Security

Types of physical access control

Physical access control is utilizing physical barriers that can help prevent unauthorized users from accessing systems. It also allows authorized users to access systems keeping physical security in mind. This type of control includes keeping the computer secure by securing the door which provides access to the system, using a paper access log, performing video surveillance with closed-circuit television and in extreme situations, having “mantraps.”

Securing the computer consists of disabling hardware so that if someone were to gain access, they can’t do any damage to the computer due to disabled USB ports, CD or DVD drives or even a password-protected BIOS. Again, this just reduces the risk of malicious code being loaded onto the system and possibly spreading to other parts of a network.

Door security can be very basic or it can utilize electronic devices such as keyed deadbolt locks on the door, cipher locks or physical tokens. A keyed deadbolt lock is the same as one would use for a house lock. The cipher lock only allows access if one knows the code to unlock the door. Physical tokens will typically consist of an ID badge which can either be swiped for access, or they may instead contain a radio frequency identification tag (RFID) that contains information on it identifying the individual needing access to the door.

Paper access logs are common in many places for physical security. This allows a company to log a person in with name, company, phone number, time in and time out. It can also document the employee who escorted the person during the time they were there. Paper access logs, filled out accurately, will complement video surveillance.

Video surveillance on closed-circuit television allows for the recording of people who pass through a security checkpoint. This type of door security allows one to observe the individuals going through the checkpoint, as well as the date and time, which can be useful when trying to catch bad guys. Video surveillance can also be utilized in mantraps.

Mantraps take door security to another level. This type of security can be seen in military and government settings when entering very high-security areas. A person will present their identification to the security attendant and the attendant will allow the person to enter the first door into a room. Only if the individual’s identification credentials are valid will they be allowed to pass through the room and go through the second door; if not, mantrap! They can only get out of the room by going back through the first door they came in.


There are six access control models covered on the CISSP certification exam — as well as different logical access control methods and several types of physical access controls. No access control model or method is perfect; however, if one does something to deter an attacker, they can count that as a success in information security practice.

(Video) CISSP Domain 5 : Identity and Access Management By Chandresh Singh | InfosecTrain


Which access control model is the best choice? ›

Discretionary Access Control (DAC)

DAC systems are considered to be the most flexible and offer the highest number of allowances compared to other types of access control. Because it's the most flexible, it's also not as secure as some other types, especially mandatory access control systems.

What are the three types of access control CISSP? ›

Access control and the CISSP certification

Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC)

What are the four 4 main access model? ›

Currently, there are four primary types of access control models: mandatory access control (MAC), role-based access control (RBAC), discretionary access control (DAC), and rule-based access control (RBAC).

Which access control model is used the most real world approach? ›

Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control.

What are the 4 steps involved in access control? ›

The typical access control process includes identification, authentication, authorization, and auditing.

What are the 3 types of access control? ›

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).

What are the seven main categories of access control? ›

What are the seven major classes of access control? The directive, deterrent, preventative, detective, corrective, compensating, and recovery.

Which is the simplest way to break into an access control system? ›

Card Cloning: Cloning of RFID cards or Card Serial Number (CSN) simulation to gain unauthorized access is the most common way to hack an access control system.

What are two main types of access control? ›

There are two types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.

What is the difference between an access control model and security framework? ›

A Security Model is more specific and addresses how to incorporate those guidelines. As an example, think of it like construction plans with details of electrical, plumbing, etc. An Access Control Method is a standard that the Security Model aligns with.

Which access control should the IT department? ›

Corrective access control is the correct answer to the given question .

Why is there no write down? ›

The “no-write-down” rule states that a subject can write to an object only if the subject's security classification is lower than or equal to the object's security classification. By itself, the “no-read-up” rule make sense because a subject can read only objects that are of the same security classification or below.

What is the difference between DAC and MAC? ›

Definition. DAC is a type of access control in which the owner of a resource restricts access to the resource based on the identity of the users. MAC is a type of access control that restricts the access to the resources based on the clearance of the subjects.

Which of the following is not an access control model? ›

Which of the following is not a valid access control model? BAC is not a valid access control model. Which access control model allows a user to act in a certain predetermined manner based on the role the user holds in the organization?

What is the first step of access control? ›

Identification is the first step of access control.

Which access control model can dynamically? ›

RBAC; An access control model that can dynamically assign roles to subjects based on a set of rules defined by a custodian.

Why do we use AAA? ›

Authentication, authorization, and accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage.

How many types of access are there in security level? ›

Access Level

There are currently two types of Access Levels, one that restricts data based off the person/Division that has entered it, and one that restricts access based on the Project.

What is the difference between identification and authentication in access control? ›

Identification occurs when a subject claims an identity (such as with a username) and authentication occurs when a subject proves their identity (such as with a password). Once the subject has a proven identity, authorization techniques can grant or block access to objects based on their proven identities.

Which access control scheme is the most restrictive? ›

Mandatory access control, on the other hand, is the most restrictive form of the access control models, as it gives control and management of the system and access points to only the system owner or administrator.

What is an example of access control? ›

Access control is a security measure which is put in place to regulate the individuals that can view, use, or have access to a restricted environment. Various access control examples can be found in the security systems in our doors, key locks, fences, biometric systems, motion detectors, badge system, and so forth.

What are the different types of access control lists? ›

There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Networking ACLs━filter access to the network.

What is access control in Infosec? ›

Access control is a data security process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensures appropriate control access levels are granted to users.

What are the three ways by which a user can be authenticated for access control give examples? ›

There are three common factors used for authentication: Something you know (such as a password) Something you have (such as a smart card) Something you are (such as a fingerprint or other biometric method)

How do I wire access control? ›

How To Set Up an Access Control System - YouTube

How much does it cost to install an access control system? ›

Cost of Keypad Access Control Systems

They consist of minimal hardware and wiring, which makes them easy to use and install. Their installation can range from $400 to $1,800 per door.

Which access control model is more flexible? ›

The greatest strength of discretionary access control is its flexibility. It makes it easy for individuals and teams to work out access on their own terms. This strength should not be underestimated – there's a reason discretionary access control is the default model for Windows and most other operating systems.

Which of the following methods of access control is considered to be the least secure method? ›

Of the three methods of access control (RBAC, DAC, and MAC), RBAC is the least secure of the options.

What type of access control model is used on a firewall? ›

Firewalls use a rule-based access control model with rules expressed in an access control list. A mandatory access control model uses labels. A discretionary access control model allows users to assign permissions.

What are three states of data during which data is vulnerable? ›

What are three states of data during which data is vulnerable? (Choose three.)
  • purged data.
  • stored data.
  • data in-process.
  • data encrypted.
  • data decrypted.
  • data in-transit. Explanation: A cybersecurity specialist must be aware of each of the three states of data to effectively protect data and information.
Oct 18, 2019

Why are access control models needed? ›

In information security, one would look at this as: granting an individual permission to get onto a network via a username and password. allowing them access to files, computers, or other hardware or software they need. ensuring they have the right level of permission to do their job.

What are the principles of access control? ›

The three elements of access control
  • Identification: For access control to be effective, it must provide some way to identify an individual. ...
  • Authentication: Identification requires authentication. ...
  • Authorization: The set of actions allowed to a particular identity makes up the meat of authorization.
Aug 15, 2007

What are the two rules of Biba? ›

Fast Facts. The Biba model has two primary rules: the Simple Integrity Axiom and the * Integrity Axiom. Simple Integrity Axiom: “No read down”; a subject at a specific clearance level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level.

What is the Strong star property rule? ›

The Strong Star Property Rule - A person in one classification level cannot read or write intelligence to any other classification level. If you have a clearance of Secret, then you are only allowed to read and write data to objects with the same classification label.

What is *- property? ›

■ *-property (“star property”): No subject may write to an object with a classification level lower than the current confidentiality level of the subject. The first property prevents an actor from reading information at a level the subject isn't cleared for (or, colloquially, “no read up”).

What are the 3 types of access control? ›

What are the Different Types of Access Control Systems?
  • Discretionary Access Control (DAC) A discretionary access control system, on the other hand, puts a little more control back into the business owner's hands. ...
  • Rule-Based Access Control. ...
  • Identity-Based Access Control.
Jul 21, 2021

What would you recommend as the most effective way of access control in an organization? ›

Apply the least privilege access control – Most security experts will advise you that applying the least privilege rule is one of the best practices when setting up access control. In general terms, least privilege means that access should be granted only to persons who explicitly need to get it.

Which access control model is more flexible? ›

The greatest strength of discretionary access control is its flexibility. It makes it easy for individuals and teams to work out access on their own terms. This strength should not be underestimated – there's a reason discretionary access control is the default model for Windows and most other operating systems.

Why are access control models important? ›

Access Control and Access Control Models

identifying a person doing a specific job. authenticating them by looking at their identification. granting a person only the key to the door or computer that they need access to and nothing more.


1. ISC2 Code Of Ethics for the CISSP Exam - Domain 1
2. CISSP - What's New In CISSP 2021 by Prashant Mohan | Infosec Train
3. Certified Information Systems Security Professional (CISSP) by thinQtank Learning (Domain 1 Part 11)
(thinQtank Learning)
4. Whats New in CISM 2022 | CISM 2022 New Syllabus | InfosecTrain
5. CISSP Domain 7: Security Operations | CISSP Preparation | InfosecTrain
6. CISSP DOMAIN 4 Exam Summary 2022
(Prabh Nair)

Top Articles

Latest Posts

Article information

Author: Greg O'Connell

Last Updated: 10/18/2022

Views: 5829

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.