Question Scenario – Your Organisation has 50 Employee, you have I.T. Security Policy, Least Privilege, Need to Know, Job Rotation, Mandatory Vacations, etc.. Your Business is mainly focused on Web Development. You have Sensitive Data like DataBase Password of Client’s Website. You also know the Algorithm Being used to Hash the Passwords because your Company Develops’s Most of the Web Application Part. Due to this fact that Development Team Create Application and then Safety Team will Change the Password. Now to make it safe, Safety Team do not have any Permission to check what application they are changing the password for. There is also a Password Saving Vault which handles the Integrity of data in this password changing process.
Your Company had a Firewall on their system and server’s which protects the port 22 ( SSH ) by filtering it. One Day the Data Breach Occur and it was Found that Data which was stolen from your Server’s had a Label of Confidential.
Question. as a CISSP, You are asked to prepare a list of Access Control Models Your Organisation was using
there was RUBAC ( Rule Based Access Control ) which was implemented using Firewall that filters Port 22. MAC ( Mandatory Access Control ) which can be determined as the Data Stolen has a Label of Confidential, finally, there is also RBAC ( Role Based Access Control ) that can be determined via the fact that development team role make the application, and safety team role has the permission to change the password.
was this question tough?
well it should not be… just make sure to check out http://sagarbansal.com/cissp