Bell-LaPadula model

The Bell-LaPadula model, mostly concerned with confidentiality, was
proposed for enforcing access control in government and military applications. It supports
mandatory access control by determining the access rights from the security levels
associated with subjects and objects. It also supports discretionary access control by
checking access rights from an access matrix. The Biba model, introduced in 1977, the
Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are
concerned with integrity.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 11).

The Clark-Wilson model

In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions).
The Clark–Wilson integrity model provides a foundation for specifying and analyzing an
integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing corruption of data items in a system due to
either error or malicious intent. An integrity policy describes how the data items in the
system should be kept valid from one state of the system to the next and specifies the
capabilities of various principals in the system. The model defines enforcement rules and
certification rules.
Clark–Wilson is more clearly applicable to business and industry processes in which the
integrity of the information content is paramount at any level of classification.
Integrity goals of Clark–Wilson model:Prevent unauthorized users from making modification (Only this one is addressed by the
Biba model).
Separation of duties prevents authorized users from making improper modifications.
Well formed transactions: maintain internal and external consistency i.e. it is a series of
operations that are carried out to transfer the data from one consistent state to the other.
The following are incorrect answers:
The Biba model is incorrect. The Biba model is concerned with integrity and controls
access to objects based on a comparison of the security level of the subject to that of the
object.
The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with
confidentiality and controls access to objects based on a comparison of the clearence level
of the subject to the classification level of the object. The information flow model is incorrect. The information flow model uses a lattice where
objects are labelled with security classes and information can flow either upward or at the
same level. It is similar in framework to the Bell-LaPadula model.
References:
ISC2 Official Study Guide, Pages 325 - 327 AIO3, pp. 284 - 287
AIOv4 Security Architecture and Design (pages 338 - 342)
AIOv5 Security Architecture and Design (pages 341 - 344)
Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model

Is the operating system configured to prevent circumvention of the security software and
application controls?

Physical security and environmental security are part of operational controls,
and are measures taken to protect systems, buildings, and related supporting
infrastructures against threats associated with their physical environment. All the questions
above are useful in assessing physical access controls except for the one regarding
operating system configuration, which is a logical access control.
Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-
Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to
A-24).

Integrity

The Biba security model addresses the integrity of data being threatened
when subjects at lower security levels are able to write to objects at higher security levels
and when subjects can read data at lower levels.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (Page 244).

TACACS

TACACS+ is a proprietary Cisco enhancement to TACACS and is more
robust than RADIUS. PAP is not a remote access authentication system but a remote node
security protocol.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 122).

Mechanisms based on IP addresses

Anything based on a fixed IP address would be a problem for mobile users
because their location and its associated IP address can change from one time to the next.
Many providers will assign a new IP every time the device would be restarted. For example
an insurance adjuster using a laptop to file claims online. He goes to a different client each
time and the address changes every time he connects to the ISP.
NOTE FROM CLEMENT:
The term MOBILE in this case is synonymous with Road Warriors where a user is contantly
traveling and changing location. With smartphone today that may not be an issue but it
would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be
the same and would change rarely. So this question is more applicable to devices that are
not cellular devices but in some cases this issue could affect cellular devices as well.
The following answers are incorrect:
mechanism with reusable password. This is incorrect because reusable password
mechanism would not present a problem for mobile users. They are the least secure and
change only at specific interval.
one-time password mechanism. This is incorrect because a one-time password mechanism
would not present a problem for mobile users. Many are based on a clock and not on the IP
address of the user.
challenge response mechanism. This is incorrect because challenge response mechanism
would not present a problem for mobile users.

 Non-Discretionary Access Control

A central authority determines what subjects can have access to certain
objects based on the organizational security policy.
The key focal point of this question is the 'central authority' that determines access rights.
Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as:
"MAC Policy means that Access Control Policy Decisions are made by a CENTRAL
AUTHORITY. Which seems to indicate there could be two good answers to this question.
However if you read the NISTR document mentioned in the references below, it is also
mentioned that: MAC is the most mentioned NDAC policy. So MAC is a form of NDAC
policy.
Within the same document it is also mentioned: "In general, all access control policies
other than DAC are grouped in the category of non- discretionary access control (NDAC).
As the name implies, policies in this category have rules that are not established at the
discretion of the user. Non-discretionary policies establish controls that cannot be changed
by users, but only through administrative action."
Under NDAC you have two choices:
Rule Based Access control and Role Base Access Control
MAC is implemented using RULES which makes it fall under RBAC which is a form of
NDAC. It is a subset of NDAC.
This question is representative of what you can expect on the real exam where you have
more than once choice that seems to be right. However, you have to look closely if one of
the choices would be higher level or if one of the choice falls under one of the other choice.
In this case NDAC is a better choice because MAC is falling under NDAC through the use
of Rule Based Access Control.
The following are incorrectanswers:
MANDATORY ACCESS CONTROL
In Mandatory Access Control the labels of the object and the clearance of the subject
determines access rights, not a central authority. Although a central authority (Better known
as the Data Owner) assigns the label to the object, the system does the determination of
access rights automatically by comparing the Object label with the Subject clearance. The
subject clearance MUST dominate (be equal or higher) than the object being accessed. The need for a MAC mechanism arises when the security policy of a system dictates that:
1. Protection decisions must not be decided by the object owner.
2. The system must enforce the protection decisions (i.e., the system enforces the security
policy over the wishes or intentions of the object owner).
Usually a labeling mechanism and a set of interfaces are used to determine access based
on the MAC policy; for example, a user who is running a process at the Secret
classification should not be allowed to read a file with a label of Top Secret. This is known
as the “simple security rule,” or “no read up.”
Conversely, a user who is running a process with a label of Secret should not be allowed to
write to a file with a label of Confidential. This rule is called the “*-property” (pronounced
“star property”) or “no write down.” The *-property is required to maintain system security in
an automated environment.
DISCRETIONARY ACCESS CONTROL
In Discretionary Access Control the rights are determined by many different entities, each
of the persons who have created files and they are the owner of that file, not one central
authority.
DAC leaves a certain amount of access control to the discretion of the object's owner or
anyone else who is authorized to control the object's access. For example, it is generally
used to limit a user's access to a file; it is the owner of the file who controls other users'
accesses to the file. Only those users specified by the owner may have some combination
of read, write, execute, and other permissions to the file.
DAC policy tends to be very flexible and is widely used in the commercial and government
sectors. However, DAC is known to be inherently weak for two reasons:
First, granting read access is transitive; for example, when Ann grants Bob read access to
a file, nothing stops Bob from copying the contents of Ann’s file to an object that Bob
controls. Bob may now grant any other user access to the copy of Ann’s file without Ann’s
knowledge.
Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the
identity of the invoking user, Bob may, for example, write a program for Ann that, on the
surface, performs some usefuluseful function, while at the same time destroys the contents of
Ann’s files. When investigating the problem, the audit files would indicate that Ann
destroyed her own files. Thus, formally, the drawbacks of DAC are as follows Discretionary Access Control (DAC) Information can be copied from one object to another;
therefore, there is no real assurance on the flow of information in a system.
No restrictions apply to the usage of information when the user has received it.
The privileges for accessing objects are decided by the owner of the object, rather than
through a system-wide policy that reflects the organization’s security requirements.
ACLs and owner/group/other access control mechanisms are by far the most common
mechanism for implementing DAC policies. Other mechanisms, even though not designed
with DAC in mind, may have the capabilities to implement a DAC policy.
RULE BASED ACCESS CONTROL
In Rule-based Access Control a central authority could in fact determine what subjects can
have access when assigning the rules for access. However, the rules actually determine
the access and so this is not the most correct answer.
RuBAC (as opposed to RBAC, role-based access control) allow users to access systems
and information based on pre determined and configured rules. It is important to note that
there is no commonly understood definition or formally defined standard for rule-based
access control as there is for DAC, MAC, and RBAC. “Rule-based access” is a generic
term applied to systems that allow some form of organization-defined rules, and therefore
rule-based access control encompasses a broad range of systems. RuBAC may in fact be
combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every
access request and compares the rules with the rights of the user to make an access
decision. Most of the rule-based access control relies on a security label system, which
dynamically composes a set of rules defined by a security policy. Security labels are
attached to all objects, including files, directories, and devices. Sometime roles to subjects
(based on their attributes) are assigned as well. RuBAC meets the business needs as well
as the technical needs of controlling service access. It allows business rules to be applied
to access control—for example, customers who have overdue balances may be denied
service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users.
The rules can be established by any attributes of a system related to the users such as
domain, host, protocol, network, or IP addresses. For example, suppose that a user wants
to access an object in another network on the other side of a router. The router employs
RuBAC with the rule composed by the network addresses, domain, and protocol to decide
whether or not the user can be granted access. If employees change their roles within the
organization, their existing authentication credentials remain in effect and do not need to be
re configured. Using rules in conjunction with roles adds greater flexibility because rules
can be applied to people as well as to devices. Rule-based access control can be
combined with role-based access control, such that the role of a user is one of the      attributes in rule setting. Some provisions of access control systems have rule- based
policy engines in addition to a role-based policy engine and certain implemented dynamic
policies [Des03]. For example, suppose that two of the primary types of software users are
product engineers and quality engineers. Both groups usually have access to the same
data, but they have different roles to perform in relation to the data and the application's
function. In addition, individuals within each group have different job responsibilities that
may be identified using several types of attributes such as developing programs and testing
areas. Thus, the access decisions can be made in real time by a scripted policy that
regulates the access between the groups of product engineers and quality engineers, and
each individual within these groups. Rules can either replace or complement role-based
access control. However, the creation of rules and security policies is also a complex
process, so each organization will need to strike the appropriate balance.
References used for this question:
http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf and
AIO v3 p162-167 and OIG (2007) p.186-191
also
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

 to specify what objects can be accessible.

With Discretionary Access Control, the subject has authority, within certain
limitations, to specify what objects can be accessible.
For example, access control lists can be used. This type of access control is used in local,
dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access.
When a user, within certain limitations, has the right to alter the access control to certain
objects, this is termed as user-directed discretionary access control. In some instances, a
hybrid approach is used, which combines the features of user-based and identity-based
discretionary access control.
References:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
and
HARRIS, Shon, All-In-One CISSP Certification Exam Guide 5th Edition, McGraw-
Hill/Osborne, 2010, Chapter 4: Access Control (page 210-211).

Relevant Access Controls

Access Control Techniques
Discretionary Access Control
Mandatory Access Control
Lattice Based Access Control
Rule-Based Access Control
Role-Based Access Control
Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May
2002, CISSP Open Study Group Study Guide for Domain 1, Page 13. 

Acceptability of biometrics systems

Acceptability refers to considerations of privacy, invasiveness, and
psychological and physical comfort when using the system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.