Tom’s company managers may be able to access an employee folder, but thereneeds to be detailed access control that indicates, for example, that they canaccess customers’ home addresses but not Social Security numbers. What type of access control should Tom implement?
A.
Discretionary
B.
Mandatory
C.
RBAC
D.
Privacy
Explanation:
The privacy of many different types of data needs to be protected, which is why manyorganizations have privacy officers and privacy policies today. The current accesscontrol models (MAC, DAC, RBAC) do not lend themselves to protecting data of a givensensitivity level, but instead limit the functions that the users can carry out. Forexample, managers may be able to access a Privacy folder, but there needs to be moredetailed access control that indicates, for example, that they can access customers’home addresses but not Social Security numbers. This is referred to as Privacy AwareRole Based Access trol.
Privacy is not an Access Control. If anything it should be “C” Role Based Access control.
Answer D is referring to Privacy Aware Role Based Access Control. RBAC by itself does not have the features required to restrict access beyond what is assigned per the role itself.
Privacy Aware Role Based Access is real. Google it and you will see. Though this is the first time that I have come across it.